Tadle

Summary

There is an invalid calculation of the totalDepositAmount in the PreMarkets.abortAskOffer() function that results in an overinflated Maker refund when the collateralRatio > 100%. As a result, the Maker receives a larger refund than expected, while the Taker receives the compensation as expected. This discrepancy leads to a loss of funds for the protocol and other users, as an attacker exploiting this issue can extract all the funds from the system.

Vulnerability Details

In the PreMarkets.abortAskOffer() function, the calculation for totalDepositAmount is as follows:

The issue here is that totalDepositAmount should also be calculated from the Maker's perspective and account for the collateral ratio, similar to the calculations for transferAmount done earlier.

If totalDepositAmount is not counted as a Maker deposit, the following line will result in an excessively large refund for the Maker:

An attacker can exploit this issue to extract all funds from the system. Here is how:

1. The attacker, as a Maker, creates an Ask offer with a 100000% collateral ratio, with 50 points for 50 USDC, and deposits 50000 USDC as collateral.

2. The attacker, as a Taker, takes this Ask offer and buys 25 points for 25 USDC.

3. The Ask offer is aborted, and the Maker receives a 49975 USDC refund. The offer is marked as Settled.

4. The attacker, as a Taker, calls DeliveryPlace.closeBidTaker() and receives 25000 USDC as compensation for not receiving the Points tokens.

As a result, the attacker can extract 24975 USDC from the protocol. This exploit can be achieved within a single transaction, and a flash loan can be used, meaning the attacker does not need to possess 50k USDC as collateral initially.

Impact

• Loss of funds.

Tools Used

• Manual review.

Recommendations

Use true for the _isMaker parameter in the OfferLibraries.getDepositAmount() function to ensure accurate calculations of totalDepositAmount.