OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

### [L-2] No deletion of Cancelled Orders

wolf_kalp

[L-2] No deletion of Cancelled Orders

Description

The cancelSellOrder Function marks the cancelled order as inactive but does not delete
the Order struct from storage.Due to this contract retains unnecessary data.This leads to
unbounded storage and storage bloat over the time.

Impact:

1.Increased storage costs especially in high trading volumes.

2.Elevated and increased gas costs when reading/writting to storages

3.Due to Higher gas fees ,users gets discourages to buy.

4.waste of on-chain storage leads to inefficiency.

Proof of Concept

1.All users creates hundreds of orders and can cancel that.
2.However it does not get deleted from the storage.
3.Unnecessary gas costs increases over the time.

Recommended Mitigation

Add delete statement to delete from the mappings and free up the storage.

```diff
function cancelSellOrder(uint256 _orderId) public {
Order storage order = orders[_orderId];
if (order.seller == address(0)) revert OrderNotFound();
if (order.seller != msg.sender) revert NotOrderSeller();
if (!order.isActive) revert OrderAlreadyInactive(); // Already inactive (filled or cancelled)
// Mark as inactive
order.isActive = false;
IERC20(order.tokenToSell).safeTransfer(
order.seller,
order.amountToSell
);
+delete orders[_orderid];
emit OrderCancelled(_orderId, order.seller);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Expired orders can cause backlog

By design only `seller` can call `cancelSellOrder()` on their `order`. But when an `order` expires, and the `seller` doesn't have access to the protocol, the expired `order `should be be able to be cancelled by an `admin`.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.