Inconsistent Settlement Handling Will Lead to Incorrect Offer States and Potential Financial Losses (`PreMarkets::settledAskOffer `and `PreMarkets::settleAskTaker`)
Summary
Vulnerability Detail
The PreMarkets contract implements two critical functions for settling offers: settledAskOffer() and settleAskTaker(). These functions are designed to handle the settlement process for ask offers and bid takers respectively. However, there is a significant inconsistency in how these functions update the settlement state, which can lead to incorrect offer states and potential financial discrepancies.
In the settledAskOffer() function, the settledPoints and settledPointTokenAmount are directly set to the input values:
Conversely, in the settleAskTaker() function, these same values are incremented:
This inconsistency can lead to incorrect settlement states. For instance, if settledAskOffer() is called after settleAskTaker(), it will overwrite the accumulated values, potentially leading to a loss of settlement information.
Furthermore, settledAskOffer() sets the offerStatus to Settled, while settleAskTaker() does not update this status at all. This can result in offers being marked as settled prematurely or remaining unsettled when they should be marked as settled.
Impact
The inconsistent handling of settlement states can lead to incorrect financial accounting and potential discrepancies in the offer and stock states. This can result in financial losses for users and undermine the integrity of the contract's settlement process. Specifically, offers may appear unsettled when they are partially settled, leading to incorrect balances and potential exploitation.
Proof of Concept
Alice calls
settleAskTaker()for an offer, incrementingsettledPointsby 100 andsettledPointTokenAmountby 1000.Bob calls
settleAskTaker()for the same offer, further incrementingsettledPointsby 50 andsettledPointTokenAmountby 500.Charlie calls
settledAskOffer()for the same offer with_settledPointsas 75 and_settledPointTokenAmountas 750.The final state of the offer now shows
settledPointsas 75 andsettledPointTokenAmountas 750, effectively erasing the settlements made by Alice and Bob.
Tools Used
Manual review
Recommendation
To address this issue, both functions should handle the settlement state consistently. Here's a proposed fix:
Additionally, consider implementing a check to ensure that the total settled points and amounts do not exceed the original offer amounts.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.