Failure in `tillIn` Function for WETH Marketplace Operations
Summary
A critical vulnerability exists in the DeliveryPlace contract where the tillIn function fails in cases where the marketplace operates on WETH. This failure causes the settleAskTaker and settleAskMaker functions to become inoperable, potentially disrupting the protocol's operations.
Vulnerability Details
@>: if
marketPlaceInfo.tokenAddress == wrappedNativeTokenor the marketplace operates onWETH, it would require extra ETH sent in viatillIn{value: msg.value}(...)
Impact
This vulnerability has a Medium impact, as the failure of the tillIn function prevents the settleAskTaker and settleAskMaker functions from operating correctly. This could result in a denial of service (DOS) for users participating in WETH-based marketplaces.
Tools Used
Manual Review
Recommendations
Make the corresponding functions payable to receive msg.value and forward ETH to tokenManager.tillIn{value: msg.value} to ensure that the tillIn function operates correctly in WETH marketplaces.
Lead Judging Commences
[invalid] finding-PreMarkets-settleAskMaker-settleAskTaker-no-msg.value-sent
Invalid, in `settleAskMaker` and `settleAskTaker` you are settling the point token to be given to the takers, which is an ERC20 token, so no native ETH is involved and thus no msg.value is required.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.