OrderBook

First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Submission Details
Impact: medium
Likelihood: high
Invalid

Order details string doesn't contain token symbol for non-core tokens

[M-1] OrderBook::getOrderDetailsString function does not make a call to the token contract in order to get a symbol for non-core tokens, resulting in token symbol not showing in the order details

Description: The OrderBook::getOrderDetailsString function checks order.tokenToSell to determine the token symbol.

string memory tokenSymbol;
if (order.tokenToSell == address(iWETH)) {
tokenSymbol = 'wETH';
} else if (order.tokenToSell == address(iWBTC)) {
tokenSymbol = 'wBTC';
} else if (order.tokenToSell == address(iWSOL)) {
tokenSymbol = 'wSOL';
}

However, this only works for core tokens (wETH, wBTC and wSOL). For any other token tokenSymbol stays blank.

Impact:
As a result, potential buyers are not able to see which token is being sold by looking at the order details (unless the token is wETH, wBTC or wSOL). This will discourage potential buyers from purchasing tokens.

Proof of Concept:

  1. Create a TestToken.sol file in /test/mocks with the following code:

// SPDX-License-Identifier: SEE LICENSE IN LICENSE
pragma solidity ^0.8.0;
import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract TestToken is ERC20 {
constructor() ERC20("Test Token", "TTK") {}
function mint(address to, uint256 amount) public {
_mint(to, amount);
}
}
  1. Add the following code to test/TestOrderBook.t.sol:

function test_tokenSymbolIsBlank() public {
TestToken testToken = new TestToken();
address seller = makeAddr("seller");
testToken.mint(seller, 1e8);
vm.startPrank(owner);
book.setAllowedSellToken(address(testToken), true);
vm.stopPrank();
vm.startPrank(seller);
testToken.approve(address(book), type(uint256).max);
uint256 orderId = book.createSellOrder(address(testToken), 1e8, 180_000e6, 2 days);
vm.stopPrank();
console2.log("Order details: ", book.getOrderDetailsString(orderId));
}
  1. Run forge test --mt test_tokenSymbolIsBlank -vvv command.

  2. Observe that the order details string does not contain the token symbol.

Recommended Mitigation:
Add staticcall to get symbol from the token contract.

@@ -231,1 +231,6 @@
- }
+ } else {
+ (bool success, bytes memory data) = order.tokenToSell.staticcall(abi.encodeWithSignature("symbol()"));
+ if (success) {
+ tokenSymbol = string(data);
+ }
+ }
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.