OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

No Pausable Mechanism

Author Revealed upon completion

Root + Impact

Description

Normal behavior:

The contract is always active, and all functions are callable at any time. This ensures continuous operation and availability for users to create, amend, cancel, or fill orders.

Issue:

In the event of a discovered vulnerability, exploit, or emergency (such as a bug in a newly added token or a protocol-wide attack), there is no way for the owner to pause the contract. This means malicious activity or exploitation can continue unchecked until a new contract is deployed or a fix is implemented, potentially resulting in significant losses.

// No pausable modifier or state variable present in any function

// All functions are always callable

Risk

Likelihood:

Vulnerabilities or attacks may be discovered after deployment, especially as the protocol evolves or new tokens are added.

The owner cannot react quickly to stop contract activity, increasing the window for exploitation.

Impact:

Funds may be drained or further exploited before a fix can be deployed.

Loss of user trust and protocol funds, and potential legal or reputational consequences.

Proof of Concept

// This PoC illustrates the inability to stop an attack in progress.

// Suppose a vulnerability is discovered that allows draining funds from the contract.

// The owner cannot pause the contract, so the attacker continues exploiting until all funds are gone.

Recommended Mitigation

Integrate OpenZeppelin's Pausable contract and add whenNotPaused modifiers to all state-changing functions. This allows the owner to pause the contract in emergencies, preventing further damage.

Explanation: Adding a pause mechanism gives the protocol a critical tool to respond to emergencies, buying time to fix vulnerabilities and protect user funds.

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 5 hours ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

View preliminary results

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.