OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Core Token Misclassification in Emergency Withdrawal

ryzen_xp

Core Token Misclassification in Emergency Withdrawal

Description

  • The emergencyWithdrawERC20 function restricts the withdrawal of certain "core" tokens via an emergency mechanism.

  • The function currently includes iUSDC in the list of protected tokens alongside iWETH, iWBTC, and iWSOL.

  • However, iUSDC is not a core token in the same sense — it is a utility or quote token used for trading core tokens rather than being a core asset itself.

  • This misclassification unnecessarily blocks emergency withdrawal of iUSDC, which could be needed for operational recovery or de-risking scenarios.

function emergencyWithdrawERC20(address _tokenAddress, uint256 _amount, address _to) external onlyOwner {
// @audit: iUSDC is not a core token and shouldn't be restricted here
if (
_tokenAddress == address(iWETH) || _tokenAddress == address(iWBTC) || _tokenAddress == address(iWSOL)
|| _tokenAddress == address(iUSDC)
) {
revert("Cannot withdraw core order book tokens via emergency function");
}
if (_to == address(0)) {
revert InvalidAddress();
}
IERC20 token = IERC20(_tokenAddress);
token.safeTransfer(_to, _amount);
emit EmergencyWithdrawal(_tokenAddress, _amount, _to);
}

Reference Files

File Function Lines Note
./src/OrderBook.sol emergencyWithdrawERC20 L282–L297 iUSDC is treated as a core token incorrectly

Risk

Likelihood:

  • This logic is triggered every time the owner tries to perform an emergency withdrawal of iUSDC.

  • Will likely occur during emergency response or protocol maintenance.

Impact:

  • Prevents timely access to iUSDC during emergencies.

  • Could lock protocol funds or prevent manual intervention during outages or exploit scenarios.

  • Misleads developers and operators about the role of iUSDC within the system.

Proof of Concept (PoC)

// Current behavior (reverts unnecessarily):
emergencyWithdrawERC20(address(iUSDC), 1_000e6, recoveryWallet); // ❌ reverts
// Suggested behavior (allowed withdrawal):
emergencyWithdrawERC20(address(iUSDC), 1_000e6, recoveryWallet); // ✅ allowed — USDC is not a core token

Recommended Mitigation

  1. Remove iUSDC from the blocked tokens list
    Restrict only actual core tokens that are essential to protocol state integrity:

function emergencyWithdrawERC20(address _tokenAddress, uint256 _amount, address _to) external onlyOwner {
if (
_tokenAddress == address(iWETH) ||
_tokenAddress == address(iWBTC) ||
_tokenAddress == address(iWSOL)
) {
revert("Cannot withdraw core order book tokens via emergency function");
}
if (_to == address(0)) {
revert InvalidAddress();
}
IERC20 token = IERC20(_tokenAddress);
token.safeTransfer(_to, _amount);
emit EmergencyWithdrawal(_tokenAddress, _amount, _to);
}

  1. Update the comment and function documentation
    Clarify the role of iUSDC as a utility/trade token, not a core protocol reserve asset.

  2. Review usage assumptions across codebase
    Ensure consistent treatment of iUSDC in other functions where core tokens are handled differently from utility tokens.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 9 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.