Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`deliveryPlace:settleAskTaker()` adds pointsToken at collateralToken address instead of pointsToken address

0xaraj

Summary

deliveryPlace:settleAskTaker() adds pointsToken at collateralToken address instead of pointsToken address

Vulnerability Details

A user can settle his askTaker using deliveryPlace:settleAskTaker(), which transfers the pointsToken from msg.sender to capitalPool. Also it adds those pointsToken to offerInfo.authority, but the problem is instead of using pointsToken address it uses collateralToken address

function settleAskTaker(address _stock, uint256 _settledPoints) external {

...

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint * _settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(_msgSender(), marketPlaceInfo.tokenAddress, settledPointTokenAmount, true);

tokenManager.addTokenBalance(

@> TokenBalanceType.PointToken, offerInfo.authority, makerInfo.tokenAddress, settledPointTokenAmount

);

}

uint256 collateralFee = OfferLibraries.getDepositAmount(

offerInfo.offerType, offerInfo.collateralRate, stockInfo.amount, false, Math.Rounding.Floor

);

...

}

In the above code we can see it passes makerInfo.tokenAddress(which is collateralToken address) to add pointsToken to offerInfo.authority

Impact

PointsToken will be added at collateralToken address. As result user will not be able to withdraw pointsToken

Tools Used

Manual Review

Recommendations

Use pointsToken address(marketPlaceInfo.tokenAddress) instead of collateralToken address in deliveryPlace:settleAskTaker()

- tokenManager.addTokenBalance(

- TokenBalanceType.PointToken, offerInfo.authority, makerInfo.tokenAddress, settledPointTokenAmount

- );

+ tokenManager.addTokenBalance(

+ TokenBalanceType.PointToken, offerInfo.authority, marketPlaceInfo.tokenAddress, settledPointTokenAmount

+ );

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.