Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ostium>Discussion>TradeUtils used as a library for address
GeneralOverview
Findings
Critical (2)
High (3)
Medium (6)
Low (6)
Informational (2)
DiscussionRemoval of trading pairs is not supportedIncorrect last updated block number for TP and SLTradeUtils used as a library for address
Threat ModelWhat are threat models?Delegatable.solOstiumOpenPnl.solOstiumTrading.solOstiumVault.sol
Audit ResultsSummary

TradeUtils is used as a library for the address type

In OstiumTrading, the library TradeUtils is used for the address type:

contract OstiumTrading is IOstiumTrading, Delegatable, Initializable {
    using TradeUtils for address;

This is done in order to be able to directly use the return value of a call to registry.getContractAddress to call convenience functions in the library. However, attaching the library to address is overly broad and allows invalid calls like this to compile:

msg.sender.setTradeLastUpdated( /* [...] */ );

Moreover, it is unclear at a glance what is actually being called because the function in OstiumTradingCallbacks is also called setTradeLastUpdated but has a different signature, and the layer of calls in the library is hidden.

This issue has been acknowledged by Ostium Labs, and a fix was implemented in commit 9b977c93.

Zellic © 2024Back to top ↑