Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Settlement period is not checked in `updateMarket`

topstar

Summary

The updateMarket function in the SystemConfig contract does not adequately check whether the provided settlement period has already passed. This oversight allows the possibility of setting a settlement period that has already expired, leading to potential logic errors and unintended behavior in the marketplace operations.

Vulnerability Details

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
_marketPlaceName
);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[
marketPlace
];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(
_marketPlaceName,
marketPlace,
_tokenAddress,
_tokenPerPoint,
_tge,
_settlementPeriod
);
}

The _settlementPeriod parameter is set without checking if its value is in the future relative to the current block timestamp.
This can lead to markets being updated with settlement periods that have already expired, causing logic errors.

The absence of a validation check to ensure the _settlementPeriod is set to a future date allows users to specify already expired periods.

Impact

Incorrect settlement periods may lead to inaccurate calculations and distributions, potentially causing financial losses for users and the platform. The presence of expired settlement periods can create inconsistencies in the market's state. Settlement period is crucial parameter used in critical functions throughout the protocol.

Tools Used

Manual review

Recommendations

Add a validation check to ensure the _settlementPeriod is set to a future timestamp, preventing the possibility of expired periods being specified.

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
+ require(_settlementPeriod > block.timestamp, "Settlement period must be in the future."); // Check for future settlement period
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
_marketPlaceName
);
. . .
}

Since the function can only be called by the owner and he is aware of this I consider this issue as a Low severity but ensure that the settlement period is validated against the current block timestamp to confirm it is set appropriately for future market activities.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.