Description:

The OrderBook contract has a design flaw in how order prices are interpreted and communicated to users. When sellers create orders using createSellOrder(), they specify priceInUSDC assuming this represents the net amount they will receive. However, the protocol deducts the 3% protocol fee from this specified price, resulting in sellers receiving significantly less than anticipated.

The confusion arises from the parameter name and function behavior: priceInUSDC represents the total amount the buyer pays, not the amount the seller receives. This misalignment between user expectations and actual protocol behavior creates a systematic underpayment issue for sellers.

Attack path:

1. Seller expectation: Seller wants to receive exactly 1,000 USDC for their 1 WETH

2. Order creation: Seller calls createSellOrder(WETH, 1e18, 1000e6, 1 days) believing they will receive 1,000 USDC

3. Buyer purchase: Buyer calls buyOrder(orderId) and pays exactly 1,000 USDC as specified

4. Fee calculation: Protocol calculates protocolFee = (1000e6 * 3) / 100 = 30e6 (30 USDC)

5. Seller payout: Seller receives sellerReceives = 1000e6 - 30e6 = 970e6 (970 USDC)

6. Unexpected loss: Seller receives 30 USDC less than expected (3% shortfall)

Impact:

All sellers receive 3% less than they expect when creating orders

Misleading parameter naming creates false expectations about received amounts

Users lose confidence in the protocol when they consistently receive less than anticipated

Sellers experience unexpected 3% reduction in their expected returns

Recommended Mitigation:

Restructure order creation to accept net seller amount