OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

H-1 OrderBook::emergencyWithdrawERC20 Function Enables Potential Rug Pull for Non-Core Tokens

qasimlab118

OrderBook::emergencyWithdrawERC20 Function Enables Potential Rug Pull for Non-Core Tokens Users

Description

The emergencyWithdrawERC20() function allows the contract owner to withdraw any non-core ERC20 tokens from the contract at will. While the function explicitly prevents withdrawals of core assets (wETH, wBTC, wSOL, and USDC), it places full trust in the owner when handling other tokens.

This becomes particularly dangerous when the owner adds a new non-core token (e.g., XYZ) for trading. Unsuspecting users may lock funds in the contract assuming the same trust guarantees apply, but these assets can be extracted instantly by the owner using this function — without any on-chain checks or time delays. This presents a clear centralization risk and an opportunity for malicious rug pulls.

Risk

Likelihood:

The function is callable at any time by the owner and applies to all non-core tokens.

Impact:

Users may lose 100% of their deposited value in non-core tokens.

Proof of Concept

Assuming the contract supports a new token "XYZ", here is how a rug pull could occur:

Owner enables XYZ token in the protocol (not restricted by emergencyWithdrawERC20).
Users begin trading or locking XYZ tokens in the protocol.
At any time, the owner can execute:

emergencyWithdrawERC20(address(XYZ), XYZ.balanceOf(address(this)), owner);

This withdraws all XYZ tokens from the contract to the owner's address, bypassing all user safeguards.

This is not prevented by any timelock, multi-sig, or governance mechanism.

Recommended Mitigation

Transparent Communication:

Update README, frontend UI, and all user-facing documentation to clearly warn users that non-core tokens can be withdrawn by the owner at any time.

Access Control Enhancements:
- Implement a multi-sig wallet or timelock contract to gate access to emergencyWithdrawERC20.
Limit Emergency Use:
- Consider making emergency withdrawals trigger only under specific, verifiable emergency conditions, or through a governance vote.
Token Whitelisting With Conditions:
- Allow only whitelisted tokens that meet certain decentralization or trust criteria.
- Alternatively, disallow trading of non-core tokens entirely unless a secure mechanism is implemented.

Updates

Lead Judging Commences

yeahchibyke Lead Judge 11 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.