Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect validation in settleAskTaker() leads to loss of collateral

anonymousjoe

Summary

The settleAskTaker() function is supposed to be called by either the owner or the stockInfo.authority. But due to an incorrect validation, stockInfo.authority is unable to call this function and could lead to loss of their collateral.

Vulnerability Details

The settleAskTaker function is intended so that the stockInfo.authority (the one who is selling the points to OfferInfo.authority). But the following check prohibits the stockInfo.authority to settle their stock ever.

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L360-L363

if (status == MarketPlaceStatus.AskSettling) {
if (_msgSender() != offerInfo.authority) {
revert Errors.Unauthorized();
}

This incorrect validation could cause many problems.

One such issue is :

  • Assume Bob creates a bid offer of 100 points at 100USDC with collateralRate = 20,000.

  • Alice takes up this offer (createTaker) and as such deposits a collateral of 200USDC.

  • When the marketplace enters the AskSettling phase, Bob calls the settleAskTaker() function with _settledPoints = 0(uninted use of function).

  • Since the _settledPoints != stockInfo.points, Bob gets Alice's complete collateral of 200USDC

    https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L392-L414

    uint256 collateralFee = OfferLibraries.getDepositAmount(
    offerInfo.offerType,
    offerInfo.collateralRate,
    stockInfo.amount,
    false,
    Math.Rounding.Floor
    );
    if (_settledPoints == stockInfo.points) { // Failed check
    tokenManager.addTokenBalance(
    TokenBalanceType.RemainingCash,
    _msgSender(),
    makerInfo.tokenAddress,
    collateralFee
    );
    } else {
    tokenManager.addTokenBalance( // entire collateral being transferred to bob
    TokenBalanceType.MakerRefund,
    offerInfo.authority,
    makerInfo.tokenAddress,
    collateralFee
    );
    }

Note that evenhough alice may have the point tokens to give to Bob she is unable to do so, and will thus always lose her collateral. The same happens even if the owner calls the function.

Impact

A ask taker (alice in the above example) will always lose her collateral even if she has the points to pay. This would lead to users never fulfilling the bid offers and thus breaking core functionality.

Tools Used

Manual Review

Recommendations

Update the validation in the settleAskTaker function as follows (line 360):

if (status == MarketPlaceStatus.AskSettling) {
if (_msgSender() != stockInfo.authority) { // updated validation check
revert Errors.Unauthorized();
}
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-settleAskTaker-wrong-stock-authority

Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.