OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: high

Invalid

[H-3] Missing Deadline Check in `cancelSellOrder` Function in the `OrderBook` Contract

akronim26

Description:
The cancelSellOrder function in the OrderBook contract currently lacks a check to determine whether the order's deadline has already passed before allowing a cancellation. This means that a seller is able to cancel their order even after the order has expired, which may not be consistent with the intended business logic of the protocol. In a typical order book system, expired orders are expected to be handled differently (e.g., marked as expired or reclaimed by the protocol), and allowing post-deadline cancellations could result in ambiguous or conflicting order states. Furthermore, this omission could make it more difficult for off-chain indexers, dApps, or users to reliably interpret the status of orders, as an order that is both expired and cancelled may not be clearly distinguishable from one that was cancelled before expiration.

Impact:
Permitting the cancellation of orders after their deadline has passed can undermine the integrity and predictability of the order book. It may allow sellers to bypass intended protocol restrictions, potentially leading to edge cases where expired orders are incorrectly marked as cancelled rather than expired. This can create confusion for users, complicate the logic for frontends and indexers, and may even open up subtle attack vectors if other protocol logic assumes that expired orders cannot be cancelled. In addition, it could make dispute resolution and auditing more difficult, as the true lifecycle of an order becomes less clear.

Recommended Mitigation:
To address this issue, it is recommended to add a deadline check in the cancelSellOrder function. Specifically, the function should revert if the current block timestamp is greater than or equal to the order's deadlineTimestamp, thereby preventing cancellation of orders that have already expired. This ensures that only active, non-expired orders can be cancelled by the seller, maintaining a clear and consistent order state throughout the protocol. Additionally, consider updating documentation and user interfaces to reflect this behavior, so that users are aware that expired orders must be handled differently from cancelled ones.

function cancelSellOrder(uint256 _orderId) public {

Order storage order = orders[_orderId];

if (order.seller == address(0)) revert OrderNotFound();

if (order.seller != msg.sender) revert NotOrderSeller();

if (!order.isActive) revert OrderAlreadyInactive();

+ if (block.timestamp >= order.deadlineTimestamp) revert OrderExpired();

order.isActive = false;

IERC20(order.tokenToSell).safeTransfer(

order.seller,

order.amountToSell

);

emit OrderCancelled(_orderId, order.seller);

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

akronim26 Submitter

about 1 month ago

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.