Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Wrong updation of abortOfferStatus for turbo mode while listing the offer.

VaRuN

Summary

Updation of abortOfferStatus is applied to the memory variable hence it doesn't reflect on the actual offer status.

Vulnerability Details

Following is list offer function

function listOffer(

address _stock,

uint256 _amount,

uint256 _collateralRate

) external payable {

if (_amount == 0x0) {

revert Errors.AmountIsZero();

}

if (_collateralRate < Constants.COLLATERAL_RATE_DECIMAL_SCALER) {

revert InvalidCollateralRate();

}

StockInfo storage stockInfo = stockInfoMap[_stock];

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

OfferInfo storage offerInfo = offerInfoMap[stockInfo.preOffer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

if (stockInfo.offer != address(0x0)) {

revert OfferAlreadyExist();

}

if (stockInfo.stockType != StockType.Bid) {

revert InvalidStockType(StockType.Bid, stockInfo.stockType);

}

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

/// @dev transfer collateral when offer settle type is protected

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate,

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

address offerAddr = GenerateAddress.generateOfferAddress(stockInfo.id);

if (offerInfoMap[offerAddr].authority != address(0x0)) {

revert OfferAlreadyExist();

}

/// @dev update offer info

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

collateralRate: _collateralRate,

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

stockInfo.offer = offerAddr;

emit ListOffer(

offerAddr,

_stock,

_msgSender(),

stockInfo.points,

_amount

);

}

Now as can be seen from the following lines that abortOfferStatus is updated for memory variable originOfferInfo and not offerInfoMap[originOffer] thus incorrect updation.

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

Impact

Updation doesn't happens ever which is intended as can be seen from the comments.

Tools Used

Manual Review

Recommendations

Make the following changes

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

@==> offerInfoMap[originOffer] = originOfferInfo

}

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-listOffer-originIOfferInfo-storage-memory

Valid high severity, because the `abortOfferStatus` of the offer is not updated and persist through `storage` when listing an offer for turbo mode within the `offerInfoMap` mapping, it allows premature abortion given the `abortOfferStatus` defaults to `Initialized`, allowing the bypass of this [check](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L552-L557) here and allow complete refund of initial collateral + stealing of trade tax which can potentially be gamed for profits using multiple addresses

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.