Submission Details
Impact:
Likelihood:
### [L-4] Missing Balance Check in ```OrderBook::emergencyWithdrawERC20```
[L-4] Missing Balance Check in OrderBook::emergencyWithdrawERC20
Description
The emergencyWithdrawERC20 function allows the contract owner to withdraw any non-core ERC20 token from the contract. However, it does not validate that the contract has a sufficient balance before attempting the transfer. This violates defensive programming practices.
Impact:
1.Poor developer experience during debugging.
2.Wasted gas on failed transactions.
3.Potentially confusing behavior during emergency recovery situations.
Proof of Concept
1.Owner tries to withdraw more amount then contract balance.
2.Transaction reverts with inefficient balance.
3.Gas wastages,poor experience.
Recommended Mitigation
function emergencyWithdrawERC20(
address _tokenAddress,
uint256 _amount,
address _to
) external onlyOwner {
if (
_tokenAddress == address(iWETH) ||
_tokenAddress == address(iWBTC) ||
_tokenAddress == address(iWSOL) ||
_tokenAddress == address(iUSDC)
) {
revert(
"Cannot withdraw core order book tokens via emergency function"
);
}
if (_to == address(0)) {
revert InvalidAddress();
}
IERC20 token = IERC20(_tokenAddress);
+ uint balance=token.balanceOf(address(this));
+ if(_amount>balance){
+ revert insufficientbalance();
+ }
token.safeTransfer(_to, _amount);
emit EmergencyWithdrawal(_tokenAddress, _amount, _to);
}
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.