Tadle

The `relistOffer` function does not validate if the collateral amount provided `(msg.value)` matches the original offer's collateral requirements.

The `relistOffer` function does not validate if the collateral amount provided `(msg.value)` matches the original offer's collateral requirements. This oversight can lead to significant discrepancies in collateral management, allowing users to potentially exploit the system by relisting offers with incorrect collateral amounts. Such discrepancies can result in improper refunds, inconsistencies in the collateral pool, and potential financial exploitation.

​

uint256 depositAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints,

offerInfo.collateralRate

);

​

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

depositAmount,

false

);

Proof of Concept (PoC):

​

Scenario Setup:

​

A user lists an offer using `listOffer`, providing a specific amount of collateral.

The offer is then closed, and the collateral is refunded according to the OfferSettleType.

***Relisting Offer***:

​

The user decides to relist the offer using relistOffer but provides a different `collateral amount (msg.value)`.

The function accepts the relisting request without validating if the new collateral amount `matches` the original collateral requirements.

​

* Exploitation Example:

​

* Offer Details:

User has 200 points that need to be backed by a specific amount of collateral, say `X`.

* Initial Listing:

The user lists the offer with 200 points and provides `X` units of collateral.

* Closing the Offer:

​

The offer is closed, and the user receives a refund of the full collateral amount `(X units)`.

* State After Closing:

The collateral amount `(X units)` is refunded to the user, and the offer status is updated to `Canceled`.

* Relisting the Offer:

​

The user decides to relist the offer with the same 200 points but provides only `0.5X` units of collateral `(msg.value)`.

​

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

depositAmount,

false

);

## we dont have a check to ensure that msg.value will cover the required depositAmount

​

Add validation to ensure that the collateral amount provided (msg.value) matches the collateral amount required for the offer. This involves comparing msg.value with the collateral amount specified in the original offer.

Update Relist Logic:

​

Retrieve the original collateral amount from the OfferInfo of the closed offer.

Ensure that msg.value matches the original collateral amount before proceeding with the relisting.