Tadle

Vulnerability Details:

The contract calls tokenManager.tillIn() without validating the result of this external call. If the call fails, the function proceeds without interruption, potentially leading to inconsistencies in the contract's state.

Impact:

If the tillIn function fails (e.g., because of insufficient funds or if the contract is paused), the contract will behave as if the transfer was successful, even though it wasn’t. This could result in a mismatch between the expected and actual token balances, potentially allowing users to receive tokens or benefits incorrectly.

Example

In the settleAskMaker function:

If tokenManager.tillIn() fails silently (e.g., due to insufficient funds), the function continues, leading to:

1. No actual token transfer occurs.

2. The offer is still marked as settled using perMarkets.settledAskOffer().

3. An event is emitted, indicating a successful settlement, even though no tokens were transferred.

   This can cause the contract to believe a settlement has occurred when, in fact, it hasn’t.

Tools Used:

Manual Review

Recommendations:

1. Verify the return value of tillIn and ensure the transaction reverts if it fails.

2. If tillIn doesn't return a value, consider modifying it or use a try/catch block to handle potential failures.

3. Log events for any failed transfers to facilitate off-chain monitoring.