Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect collateralRate is used for protected mode while listing the offer.

VaRuN

Summary

Wrong collateral is used while listing an offer in protected mode.

Vulnerability Details

Following is listing offer function.

function listOffer(

address _stock,

uint256 _amount,

uint256 _collateralRate

) external payable {

if (_amount == 0x0) {

revert Errors.AmountIsZero();

}

if (_collateralRate < Constants.COLLATERAL_RATE_DECIMAL_SCALER) {

revert InvalidCollateralRate();

}

StockInfo storage stockInfo = stockInfoMap[_stock];

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

OfferInfo storage offerInfo = offerInfoMap[stockInfo.preOffer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

if (stockInfo.offer != address(0x0)) {

revert OfferAlreadyExist();

}

if (stockInfo.stockType != StockType.Bid) {

revert InvalidStockType(StockType.Bid, stockInfo.stockType);

}

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

/// @dev transfer collateral when offer settle type is protected

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate,

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

address offerAddr = GenerateAddress.generateOfferAddress(stockInfo.id);

if (offerInfoMap[offerAddr].authority != address(0x0)) {

revert OfferAlreadyExist();

}

/// @dev update offer info

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

collateralRate: _collateralRate,

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

stockInfo.offer = offerAddr;

emit ListOffer(

offerAddr,

_stock,

_msgSender(),

stockInfo.points,

_amount

);

}

Now following is how transfer amount is calculated for protected mode.

/// @dev transfer collateral when offer settle type is protected

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate,

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

As can be seen that the collateral rate of the pre offer for which initial bid was set is used but the listed offer uses the collateral rate which is inputed by the stock owner as can be seen from the following.

/// @dev update offer info

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

@==> collateralRate: _collateralRate,

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

Now issue is that the owner can set collateral rate greater than the pre offer collateral rate and instantly call the close offer and can earn a profit as deposited amount would be caluclated using a lesser collateral rate.

Close offer function is as follows.

function closeOffer(address _stock, address _offer) external {

OfferInfo storage offerInfo = offerInfoMap[_offer];

StockInfo storage stockInfo = stockInfoMap[_stock];

if (stockInfo.offer != _offer) {

revert InvalidOfferAccount(stockInfo.offer, _offer);

}

if (offerInfo.authority != _msgSender()) {

revert Errors.Unauthorized();

}

if (offerInfo.offerStatus != OfferStatus.Virgin) {

revert InvalidOfferStatus();

}

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

/**

* @dev update refund token from capital pool to balance

* @dev offer settle type is protected or original offer

if (

makerInfo.offerSettleType == OfferSettleType.Protected ||

stockInfo.preOffer == address(0x0)

) {

uint256 refundAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints,

offerInfo.collateralRate

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(

TokenBalanceType.MakerRefund,

_msgSender(),

makerInfo.tokenAddress,

refundAmount

);

}

offerInfo.offerStatus = OfferStatus.Canceled;

emit CloseOffer(_offer, _msgSender());

}

/**

As can be seen how refund amount is calculated using the offer collateral rate

uint256 refundAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints,

offerInfo.collateralRate

);

offer owner by instantly calling the function when used points would be zero can get more amount of refund amount than transferred amount just by passing a larger collateral rate.

Even if owner closes afterwards or even settles the offer later he should be refunded the collateral he deposited and not more than that but as illustrated above he would be refunded more as wrong collateral rate is used for transferring the amount.

Impact

Wrong transferred amount is calculated which can cause wrong amount to be refunded.

Tools Used

Manual review

Recommendations

Make the following change in list offer function

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

@==> _collateralRate,

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-listOffer-collateralRate-manipulate

Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.