Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Capital pool can be drained due to Reentrancy

silentwalker

Summary

The closeBidOffer function is vulnerable to reentrancy attacks, allowing malicious users to drain funds from the capital pool. This occurs because the function does not properly follow the Check Effects and Interaction pattern.

Vulnerability Detail

The closeBidOffer function does not follow the Check Effects and Interaction pattern. Upon calling the function, the refundAmount is calculated, and then this amount is added to the token balance of the msg.sender before the offer status is updated, as shown below:

uint256 refundAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints, // 0 if above check holds

offerInfo.collateralRate

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(

TokenBalanceType.MakerRefund,

_msgSender(),

makerInfo.tokenAddress,

refundAmount

);

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

perMarkets.updateOfferStatus(_offer, OfferStatus.Settled);

// @audit reentrancy should close offer (updateStatus) before adding token balance

emit CloseBidOffer(

makerInfo.marketPlace,

offerInfo.maker,

_offer,

_msgSender()

);

Impact

The pool can be drained, leading to a loss of protocol and user funds.

Tools Used

Manual Review

Recommendations

Change the above code to the one below or use a reentrancy guard from OpenZeppelin:

uint256 refundAmount = OfferLibraries.getRefundAmount(\

offerInfo.offerType,\

offerInfo.amount,\

offerInfo.points,\

offerInfo.usedPoints, // 0 if above check holds\

offerInfo.collateralRate\

);

IPerMarkets perMarkets = tadleFactory.getPerMarkets();\

perMarkets.updateOfferStatus(\_offer, OfferStatus.Settled);

ITokenManager tokenManager = tadleFactory.getTokenManager();\

tokenManager.addTokenBalance(\

TokenBalanceType.MakerRefund,\

\_msgSender(),\

makerInfo.tokenAddress,\

refundAmount\

);

emit CloseBidOffer(\

makerInfo.marketPlace,\

offerInfo.maker,\

\_offer,\

\_msgSender()\

);

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Assigned finding tags:

[invalid] finding-PreMarkets-reentrancy

Invalid, all [vague generalities](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#vague-generalities) talking about possible reentrancies 11and afaik, reentrancy is not possible and not proven.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.