OrderBook:getOrderDetailsString
function only handles symbol mapping for core tokens (wETH, wBTC, wSOL) but fails to handle non-core tokens, leading to poor UX.The function only maps symbols for the three core tokens (wETH, wBTC, wSOL) but the contract supports additional tokens through the OrderBook:setAllowedSellToken
function.
When a non-core token is used in an order, the tokenSymbol variable remains uninitialized (empty string), resulting in incomplete order details.
Check the OrderBook:gerOrderDetailsString
Likelihood: MEDIUM
Depends on whether non-core tokens are actually used
Owner can add any ERC20 token via OrderBook:setAllowedSellToken
Likely to occur if the protocol expands to support more tokens
Impact: LOW
User Experience: Poor readability of order details for non-core tokens
Information Loss: Users can't identify which token is being sold
Inconsistency: Different display quality for different token types
Functionality: Core functionality still works, only display is affected
The following test demonstrates the issue: when a non-core token (i.e., not wETH, wBTC, or wSOL) is used in an order, the getOrderDetailsString function fails to display the token’s symbol, resulting in incomplete and potentially confusing order information for users.
Explanation:
The test deploys a mock ERC20 token with a custom symbol (e.g., "mERC20").
The token is allowed for trading via setAllowedSellToken.
An order is created using this custom token.
When retrieving the order details string, the output is missing the token symbol after the amount, because the function only recognizes core tokens.
The test asserts that the symbol "mERC20" does not appear in the details, and that the output contains the amount followed by a blank space, confirming the bug.
Why this matters:
This proof of concept shows that users will not be able to distinguish which token is being sold if it is not one of the hardcoded core tokens. This can lead to confusion, mistakes in trading, and a poor user experience, especially as the protocol expands to support more tokens.
You can add these codes to the test file:
Import the openzeppelin
ERC20 standard and check for the symbol instead of checking individual address with conditionals
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.