OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Disabling Allowed Token Does Not Affect Existing Active Orders

perun84

Root + Impact

Description

Normal behavior: The allowedSellToken mapping controls which tokens can be used to create new sell orders. The owner can enable or disable tokens at any time using setAllowedSellToken.
Issue: If the owner sets allowedSellToken[token] = false for a token that already has active orders, users will not be able to create new orders with that token, but existing orders remain in the order book and can still be bought or canceled. This can lead to confusion, and in some cases, if the token is later re-enabled, it could be used again without additional review.

function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {

if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken(); // Cannot allow null or USDC itself

allowedSellToken[_token] = _isAllowed; // @> can be set to false at any time

emit TokenAllowed(_token, _isAllowed);

}

Risk

Likelihood:

This will occur whenever the owner disables a token that already has active orders in the order book.
Users may be confused or affected if they expect all tokens in active orders to remain tradable or withdrawable.

Impact:

Users cannot create new orders for the disabled token, but existing orders are unaffected, which may cause confusion.
If the token is malicious or problematic, disabling it does not remove or cancel existing orders, so some risk remains.

Proof of Concept

Users will be able to byuOrder even if token is not allowed to be sold

// Owner enables token T: setAllowedSellToken(T, true)

// User creates order with token T

// Owner disables token T: setAllowedSellToken(T, false)

// User cannot create new orders with T, but existing order can still be bought or canceled

Recommended Mitigation

Listen to events (or iterate over existing orders which is expensive) and set active orders for disabled token as inactive.

- allowedSellToken[_token] = _isAllowed;

+ allowedSellToken[_token] = _isAllowed;

+ // Optionally, iterate through orders and mark as inactive or emit an event for all active orders with this token

+ // (Note: Iterating on-chain is expensive; consider off-chain monitoring or event-based warnings)

Updates

Lead Judging Commences

yeahchibyke Lead Judge

about 1 month ago

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.