Wrong collateralrate used in listoffer could lead to funds being drained.
Summary
In the listOffer() function, the user is being made to pay the preoffer's collateral rate instead of the collateral rate passed as the argument to the function. But the offerInfo contains the collateral rate value passed as parameter, this leads to an inconsistancy which a malicious attacker can take advantage off, since in the closeOffer function, the collateral rate mentioned in the offerInfo is taken into account and paid back to the user.
Vulnerability Details
When a user (who owns a "bid" type stock) tries to list an offer in protected mode, he is made to deposit collateral according to the offerInfo.collateralRate (which is the stockInfo.preOffer's collateralRate).
But below in the creation of the OfferInfo object, the collateralRate passed as parameter is used.
This is the inconsistancy in the code that a malicious user can take advantage of in many ways:
One possible way is:
Assume an ask offer is created with collateralRate = 10,000 (in protected mode).
The attacker takes (
createTaker) this offer, and thus obtains a "bid" type of stock.The attacker lists the offer (
listOffer) this stock, by passing 100,000 as the collateralRate.The attacker, pays collateral corresponding to collateralRate = 10,000, but the offer is made with collateralRate = 100,000 (inconsistancy in the code).
The attacker closes the offer (
closeOffer)Here the attacker is refunded according to collateralRate = 100,000. This means the attacker has been refunded more than what he deserves.
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L437-L456
Note, the collateralRate(100,000) used is just an example, since there is no upper limit on the collateralRate, the attacker can use a very high collateralRate to completely drain the funds.
Impact
Since the attacker can set the collateralRate himself, he can possibly drain the complete funds of the account.
Tools Used
Manual Review
Recommendations
Update the collateralRate value in listOffer() function to transfer the correct amount (line 349):
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Appeal created
finding-PreMarkets-listOffer-collateralRate-manipulate
Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.