OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

Order details string doesn't contain token symbol for non-core tokens

romans

[M-1] `OrderBook::getOrderDetailsString` function does not make a call to the token contract in order to get a symbol for non-core tokens, resulting in token symbol not showing in the order details

Description: The OrderBook::getOrderDetailsString function checks order.tokenToSell to determine the token symbol.

string memory tokenSymbol;

if (order.tokenToSell == address(iWETH)) {

tokenSymbol = 'wETH';

} else if (order.tokenToSell == address(iWBTC)) {

tokenSymbol = 'wBTC';

} else if (order.tokenToSell == address(iWSOL)) {

tokenSymbol = 'wSOL';

}

However, this only works for core tokens (wETH, wBTC and wSOL). For any other token tokenSymbol stays blank.

Impact:
As a result, potential buyers are not able to see which token is being sold by looking at the order details (unless the token is wETH, wBTC or wSOL). This will discourage potential buyers from purchasing tokens.

Proof of Concept:

Create a TestToken.sol file in /test/mocks with the following code:

// SPDX-License-Identifier: SEE LICENSE IN LICENSE

pragma solidity ^0.8.0;

import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";

contract TestToken is ERC20 {

constructor() ERC20("Test Token", "TTK") {}

function mint(address to, uint256 amount) public {

_mint(to, amount);

}

Add the following code to test/TestOrderBook.t.sol:

function test_tokenSymbolIsBlank() public {

TestToken testToken = new TestToken();

address seller = makeAddr("seller");

testToken.mint(seller, 1e8);

vm.startPrank(owner);

book.setAllowedSellToken(address(testToken), true);

vm.stopPrank();

vm.startPrank(seller);

testToken.approve(address(book), type(uint256).max);

uint256 orderId = book.createSellOrder(address(testToken), 1e8, 180_000e6, 2 days);

vm.stopPrank();

console2.log("Order details: ", book.getOrderDetailsString(orderId));

}

Run forge test --mt test_tokenSymbolIsBlank -vvv command.
Observe that the order details string does not contain the token symbol.

Recommended Mitigation:
Add staticcall to get symbol from the token contract.

@@ -231,1 +231,6 @@

- }

+ } else {

+ (bool success, bytes memory data) = order.tokenToSell.staticcall(abi.encodeWithSignature("symbol()"));

+ if (success) {

+ tokenSymbol = string(data);

+ }

Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.