Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Offer maker could impose any percentage as trade tax in Premarkets.sol

maushishreal

Summary

During the creation of the offers, Premarkets.sol#createOffer no check is implemented which doesn't allow users to cap each trade tax percentage.

Vulnerability Details

Premarkets.sol#createOffer only implemented the right precision constant but not the maximum limit of trade tax

function createOffer(CreateOfferParams calldata params) external payable {

/**

* @dev points and amount must be greater than 0

* @dev eachTradeTax must be less than 100%, decimal scaler is 10000

* @dev collateralRate must be more than 100%, decimal scaler is 10000

if (params.points == 0x0 || params.amount == 0x0) {

revert Errors.AmountIsZero();

}

if (params.eachTradeTax > Constants.EACH_TRADE_TAX_DECIMAL_SCALER) {//<------scaler for precision

revert InvalidEachTradeTaxRate();

}

if (params.collateralRate < Constants.COLLATERAL_RATE_DECIMAL_SCALER) {

revert InvalidCollateralRate();

}

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(params.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

...

}

As, 10_000 represents 100% , offer maker could put 10_000 as trade tax and steal funds.

Impact

Offer makers could impose any percentage as trade tax which is against the business logic of the protocol

Tools Used

Manual review

Recommendations

//add this check in createOffer()

+ if (params.eachTradeTax > Constants.EACH_TRADE_TAX_MAXINUM) {

+ revert InvalidEachTradeTaxRate();

+ }

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-off-by-one-Collateral-Rate-100%

I believe this is borderline informational/low. Despite this off-by-one error of the intended check, the difference between 100% and 101% is minimal, so I believe whether or not 100% is allowed has minimal impact. Ultimately, it still comes down to the risk level that users are willing to take

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.