OrderBook

​

​

The `emergencyWithdrawERC20()` function prohibits withdrawal of core tokens (wETH, wBTC, wSOL, USDC), but allows any other token to be withdrawn by the owner, including newly whitelisted sell tokens.

​

// @> check only excludes hardcoded core tokens

if (

​

​

**Likelihood**:

​

* Happens when admin whitelists a new token via `setAllowedSellToken`.

* Emergency withdrawal allows full asset drain.

​

**Impact**:

​

* Partial or full rug of newly supported tokens.

* Trust assumptions on "owner" role are violated.

​

​

The `owner` role can whitelist a new token using `setAllowedSellToken()` and allow users to create sell orders with it. Later, the owner can call `emergencyWithdrawERC20()` to **steal all user-deposited tokens** of that new type.

​

Whitelist a new token (e.g., `XToken`)

​

orderBook.setAllowedSellToken(address(XToken), true);

​

Users create sell orders with the new token

​

orderBook.createSellOrder(address(XToken), 1000e18, 100e6, 3600);

​

Tokens are now held by the contract.

​

Owner can drain all XToken via emergencyWithdraw

​

orderBook.emergencyWithdrawERC20(address(XToken), 1000e18, ownerAddress);

​

- Users lose their deposits. There is no check to prevent the owner from withdrawing **non-core, but still active** tokens with open orders.

​

​

Maintain a list of "protected" tokens and block their withdrawal, or forbid withdrawal of any token in `allowedSellToken == true`.

​

- if (_tokenAddress == iWETH || ...)

+ if (allowedSellToken[_tokenAddress] || _tokenAddress == address(iUSDC)) revert();

​

This fixes the problem but now there is no use of `emergencyWithdrawERC20` remaining and to increase user trust in protocol this function shall be removed completely.