OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: low

Invalid

[M-1] Missing Check for Zero Address in the `createSellOrder` function in the `OrderBook` contract can lead to an edge case where the seller of the order is `address(0)`

akronim26

Description:
The createSellOrder function in the OrderBook contract currently does not include a check to ensure that the seller address is not the zero address (address(0)). While this may seem like a minor omission, it can introduce subtle vulnerabilities and edge cases into the protocol. In Ethereum, address(0) is a special value that is often used to represent the absence of an address or as a sentinel value. Allowing an order to be created with address(0) as the seller can result in orders that are effectively orphaned and cannot be interacted with in a meaningful way.

This issue is particularly relevant in scenarios where the function is called via a contract using delegatecall, or if there is a misconfiguration in the calling context. In such cases, msg.sender could be set to address(0), even though this is not possible through direct user interaction. If the protocol does not explicitly prevent this, it is possible for an order to be created with an invalid seller, which can disrupt the normal operation of the order book and complicate order management.

Impact:
The absence of a zero address check for the seller can disrupt the protocol’s functionality in several ways. First, any order created with address(0) as the seller will be unmanageable: it cannot be cancelled, amended, or filled, since all subsequent functions that interact with the order will check for a valid seller and revert if the seller is address(0). This can lead to stuck or unusable orders in the system, which may clutter the order book and create confusion for users and off-chain indexers. Additionally, the presence of such invalid orders could complicate auditing, analytics, and user interface logic, as special handling would be required to filter out or ignore these orders.

Proof of Concept:
The following scenario demonstrates how this vulnerability could manifest:

Although a regular user cannot directly call a function with msg.sender set to address(0) on Ethereum, there are certain edge cases—such as when a contract uses delegatecall or is misconfigured—where msg.sender could be set to address(0). If the createSellOrder function does not check for this condition, it is theoretically possible for an order to be created with seller set to address(0).
Once such an order exists, any attempt to interact with it (e.g., to buy, cancel, or amend the order) would always fail, because the following check would revert:

if (order.seller == address(0)) revert OrderNotFound();

Recommended Mitigation:
Add a check to ensure the seller is not the zero address.

function createSellOrder(

address _tokenToSell,

uint256 _amountToSell,

uint256 _priceInUSDC,

uint256 _deadlineDuration

) public returns (uint256) {

+ require(msg.sender != address(0), "Zero address");

if (!allowedSellToken[_tokenToSell]) revert InvalidToken();

if (_amountToSell == 0) revert InvalidAmount();

}

Updates

Lead Judging Commences

yeahchibyke Lead Judge

about 1 month ago

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.