Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Due to a wrong validation to check a caller (`_msgSender()`) of the PreMarkets#`abortBidTaker()`, an unexpected-caller (`stockInfo.authority`) can freely abort a bid taker

0xmuxyz

Summary

Due to a wrong validation to check a caller (_msgSender()) of the PreMarkets#abortBidTaker(), an unexpected-caller (stockInfo.authority) can freely abort a bid taker.
(On the other hand, when an eligible caller (preOfferInfo.authority) call the PreMarkets#abortBidTaker(), the TX can be reverted)

Vulnerability Details

Within the PreMarkets#abortBidTaker(), the TX can be reverted - if a caller (_msgSender()) is not a stock owner (stockInfo.authority) like this:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L649-L651

/**
* @notice abort bid taker
* @param _stock stock address
* @param _offer offer address
* @notice Only offer owner can abort bid taker ///<----------------------- @audit
* @dev Only offer abort status is aborted can be aborted
* @dev Update stock authority refund amount
*/
function abortBidTaker(address _stock, address _offer) external {
StockInfo storage stockInfo = stockInfoMap[_stock];
OfferInfo storage preOfferInfo = offerInfoMap[_offer];
if (stockInfo.authority != _msgSender()) { ///<---------------------------- @audit
revert Errors.Unauthorized();
}
...

According to the NatSpec of the PreMarkets#abortBidTaker() above, a caller (_msgSender()) is supposed to be an offer owner (preOfferInfo.authority) like this:

@notice Only offer owner can abort bid taker

However, within the PreMarkets#abortBidTaker() above, a caller (_msgSender()) must be a stock owner (stockInfo.authority). Otherwise, the TX can be reverted like this:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L649

if (stockInfo.authority != _msgSender()) { ///<-------- @audit
revert Errors.Unauthorized();
}

Impact

This discrepancy allow an unexpected-caller (stockInfo.authority) to be able to freely abort a bid taker - because the unexpected-caller (stockInfo.authority) can permissionlessly call the PreMarkets#abortBidTaker().
(On the other hand, when an eligible caller (preOfferInfo.authority) call the PreMarkets#abortBidTaker(), the TX can be reverted)

Tools Used

  • Foundry

Recommendations

Within the PreMarkets#abortBidTaker(), consider replacing the stockInfo.authority with the preOfferInfo.authority in the if-statement like this:

+ if (preOfferInfo.authority != _msgSender()) {
- if (stockInfo.authority != _msgSender()) {
revert Errors.Unauthorized();
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-PreMarkets-abortBidTaker-wrong-stock-authority

Invalid. when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Hence, we should verify `stockInfoMap`, regardless of the taker order being a ASK (selling points) or BID (buying points) taker order, so there is no issue here, other than documentation error

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.