OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Allowed Token List Impact

amro135ali

Root + Impact

Description

Normal behavior: The contract owner can add or remove tokens from the allowedSellToken mapping, enabling or disabling them for order creation.
Issue: The owner can add any ERC20 token (except USDC) to the allowed list, including tokens with malicious or non-standard behavior (e.g., fee-on-transfer, reentrancy, or tokens that revert on transfer).
Issue:

The function allows the owner to add any ERC20 token (except USDC or the zero address) to the allowed list. This means tokens with non-standard or malicious behavior (such as fee-on-transfer, reentrancy, or tokens that revert on transfer) can be added. If such a token is allowed, users may unknowingly create orders with it, leading to unexpected results, loss of funds, or even contract vulnerabilities.

function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {

if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken(); // @> Cannot allow null or USDC itself

allowedSellToken[_token] = _isAllowed; // @> Any token can be allowed

emit TokenAllowed(_token, _isAllowed);

}

Risk

Likelihood:

The owner may inadvertently or maliciously add a non-standard or malicious token.

Users may create orders with such tokens, leading to unexpected behavior or loss of funds.

Impact:

Users may lose funds if tokens behave unexpectedly (e.g., fee-on-transfer, reentrancy).

The contract may become unusable or funds may be locked.

Proof of Concept

// Owner adds a fee-on-transfer token

orderBook.setAllowedSellToken(address(feeOnTransferToken), true);

// Seller creates an order with this token

feeOnTransferToken.approve(address(orderBook), 100);

orderBook.createSellOrder(address(feeOnTransferToken), 100, 1000, 1 days);

// Buyer receives less than 100 tokens due to transfer fee, but pays full price

Recommended Mitigation

Restrict setAllowedSellToken to only allow a predefined whitelist of audited tokens, or require a governance process for adding new tokens. At minimum, warn users about the risks of non-standard tokens.

Updates

Lead Judging Commences

yeahchibyke Lead Judge

about 1 month ago

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.