OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Lack of seller-buyer check enables wash trading

anchabadze

Description:

The buyOrder function in the OrderBook.sol contract does not validate that the order's buyer (msg.sender) is different from the order's seller (order.seller). This absence of a check allows a user to create a sell order and then execute a purchase on that same order.

Impact:

This vulnerability enables "wash trading," where a user can artificially inflate the trading volume on the platform by buying their own assets. While the user would incur a protocol fee for each transaction, this could be used to create a misleading appearance of high market activity. Prospective users might be deceived by these inflated volumes, leading them to misjudge the platform's liquidity and make uninformed trading decisions. This can damage the platform's reputation and user trust.

Recommended Mitigation:

Implement a require statement or a custom error at the beginning of the buyOrder function to ensure that the buyer and seller are not the same address.

// OrderBook.sol
// ... existing code ...
function buyOrder(uint256 _orderId) public {
Order storage order = orders[_orderId];
// Validation checks
if (order.seller == address(0)) revert OrderNotFound();
if (msg.sender == order.seller) revert("Seller cannot buy their own order."); // Mitigation
if (!order.isActive) revert OrderNotActive();
if (block.timestamp >= order.deadlineTimestamp) revert OrderExpired();
order.isActive = false;
// ... existing code ...
Updates

Lead Judging Commences

yeahchibyke Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.