OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

L-01. Centralization Risk Due to Privileged Owner Functions

0xriz0

Root + Impact

Centralization Risk + Excessive Owner Privileges

Description

The OrderBook contract is designed to facilitate decentralized trading operations where users can place buy and sell orders with minimal trust assumptions.
The contract owner has excessive privileged access including the ability to control allowed tokens, perform emergency withdrawals of user funds, and withdraw collected fees, creating significant centralization risks.

contract OrderBook is Ownable {

// ...

function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {

// @> Owner can arbitrarily disable tokens, potentially trapping user funds

allowedSellTokens[_token] = _isAllowed;

emit AllowedSellTokenUpdated(_token, _isAllowed);

}

function emergencyWithdrawERC20(address _tokenAddress, uint256 _amount, address _to) external onlyOwner {

// @> Owner can withdraw any ERC20 tokens from the contract, including user deposits

IERC20(_tokenAddress).transfer(_to, _amount);

emit EmergencyWithdrawERC20(_tokenAddress, _amount, _to);

}

function withdrawFees(address _to) external onlyOwner {

// @> Owner controls all fee withdrawals

payable(_to).transfer(address(this).balance);

emit FeesWithdrawn(_to, address(this).balance);

}

Risk

Likelihood:

Owner key compromise occurs regularly in DeFi protocols due to phishing, social engineering, or operational security failures
Malicious or compromised owner actions can happen at any time without user consent or advance notice

Impact:

Users lose trust in the protocol due to centralization concerns, reducing adoption and liquidity
Owner can disable token trading by setting allowedSellTokens[token] = false, potentially trapping user funds in active orders
Emergency withdrawal function allows owner to drain any ERC20 tokens from the contract, including user deposits
Fee withdrawal centralization prevents transparent and automated fee distribution mechanisms

POC

N/A (Low Finding - self explanatory)

Recommended Mitigation

The centralization risks can be mitigated through several mechanisms that distribute control and add transparency:

+ // Implement multi-signature wallet for owner functions

Updates

Lead Judging Commences

yeahchibyke Lead Judge 9 days ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.