The closeBidTaker
in DeliveryPlace
contract is used by takers
who has BID
stock and their's stocks pre-offer
is settled. The pre-offer
will be settled in two cases:
1) offer
aborted by maker
by calling abortAskOffer
2) offer
settled by maker
by calling settleAskMaker
The closeBidTaker
function has a critical issue where the incorrect token address is being used when updating the user's point token balance. Specifically, the function mistakenly uses the makerInfo.tokenAddress
, which represents the collateral token, instead of the appropriate point token address when adding the point token balance.
The pointTokenAmount
is supposed to represent the amount of point tokens, yet the function uses makerInfo.tokenAddress
(which refers to the collateral token) when updating the balance. This is incorrect because point tokens and collateral tokens are different assets, and using the collateral token address in place of the point token address will cause the balance to be added to the wrong token.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L178-L200
This could result in users receiving the wrong tokens. If collateral token is worth very much than point token, users would get collateral token instead of point tokens causing loss to the protocol.
Manual review
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.