dbook is a fully on-chain EVM orderbook exchange designed to deliver decentralized trading with high performance, gas efficiency, and self-custody. The protocol implements a fully on-chain matching engine, FIFO priority logic, and extensible execution flows to support advanced trading functionality without relying on off-chain components, and is launching on MegaETH.
FailSafe was engaged to conduct a comprehensive security audit of dbook’s smart contract system prior to broader production use. The audit focused on identifying vulnerabilities that could impact user funds, protocol solvency, order fairness, and operational reliability across the core orderbook and management infrastructure.
Summary of Findings
| Severity | Total | Status |
|---|---|---|
| Critical | 1 | 1 Resolved |
| High | 7 | 5 Resolved, 2 Acknowledged |
| Medium | 4 | 3 Resolved, 1 Acknowledged |
| Low | 1 | 1 Resolved |
| Total | 13 | 10 Resolved, 3 Acknowledged |
1. Quote Over Collateralization On Partially Filled Limit Buys
Severity: Critical | Status: Resolved
When a buy limit order partially matched at a better price and the remainder rested on the orderbook, the contract pulled the full quote amount for the original order size but never refunded the surplus after accounting for the partial fill and resting remainder.
This surplus remained permanently stranded in the contract, breaking the conservation invariant and causing unrecoverable fund loss for users placing limit buy orders.
The issue was fully resolved by correcting collateral accounting and refund logic.
2. Lack Of Protection Against Malicious Tokens
Severity: High | Status: Resolved
The Manager contract enforced bytecode normalization and parameter consistency when registering tokens but did not validate token mint controls.
This allowed freely mintable tokens to be registered, enabling attackers to mint unlimited supply at zero cost and drain scarce assets from market makers.
Token registration logic was updated to enforce semantic validation and prevent malicious token configurations.
3. Fee On Transfer Token Accounting Mismatch
Severity: High | Status: Resolved
The OrderBook contract assumed exact ERC20 transfer semantics throughout collateral handling. When fee-on-transfer tokens were used, the contract recorded nominal amounts while receiving less in practice.
This discrepancy caused immediate insolvency and enabled systematic value extraction.
The issue was resolved by enforcing balance-delta validation to detect and reject incompatible tokens.
4. Fifo Priority Gaming Via Overpost Then Shrink
Severity: High | Status: Resolved
Attackers could post large orders to gain early FIFO priority, then reduce order size while retaining their priority position.
This allowed unfair market advantages and undermined orderbook fairness.
Priority handling logic was updated to reset priority when order size changes.
5. Liquidity Provision Censorship Via Post Only Griefing
Severity: Medium | Status: Acknowledged
Minimal dust orders could be placed to block legitimate market makers from posting post-only liquidity at specific price levels.
The team acknowledged this behavior as a known tradeoff in on-chain FIFO orderbooks.
Read more about dbook’s audit in the report below.
dbook’s Security Posture
The dbook audit highlighted the complexity of building a fully on-chain orderbook exchange, particularly around collateral conservation, token compatibility, FIFO fairness, and privileged operations.
The dbook team addressed all Critical findings and multiple High severity issues, significantly improving the protocol’s resilience against fund loss, market manipulation, and operational failures. Remaining acknowledged issues were clearly documented with understood tradeoffs.
Closing Remarks
FailSafe commends the dbook team for their engagement and responsiveness throughout the audit process. By resolving high-impact vulnerabilities and carefully documenting remaining risks, dbook has meaningfully strengthened its security posture ahead of broader adoption.
FailSafe remains available to support dbook as a long-term strategic security partner.
Related Articles
Aegis JUSD Smart Contract Audit
Aegis is a multichain stablecoin protocol powering JUSD and YUSD, featuring minting, redemption, staking vaults, rewards distribution, and cross-chain bridging ...
The Moats V3 Smart Contract Audit
The Moats are a flexible staking and rewards protocol enabling project teams to configure easy governance participation, time-weighted incentives, and multi-tok...
BaseVol Smart Contract Audit
BaseVol is a next-generation on-chain options protocol delivering lightning-fast 0DTE trading, capital-efficient vault strategies, and institutional-grade produ...
Ready to secure your project?
Get in touch with our security experts for a comprehensive audit.
Contact Us