Tadle

Summary

When users want to abort stock, amount passed is not calculated correctly

Vulnerability Details

Users can abort their stock when the ask offer that they filled up is aborted using PreMarkets.abortBidTaker() , so let's say a maker is no longer interested in selling their points (ask offer) they abort the offer, someone that filled up that offer can abort their own stock (bidder) that filled up the ask offer and get the amount they paid for the points back. The issue lies in the calcuation used to get the amount back for the points they bidded for

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L671-L683

uint256 depositAmount = stockInfo.points.mulDiv(````preOfferInfo.points,````preOfferInfo.amount,````Math.Rounding.Floor````); let's assume that the maker set 100 points for 10 ether as their offer (10 points for 1 ether ), so if a user comes to buy 10 points he paid 1 ether when filling up the order so when he abort he's supposed to get 1 ether back but with this calculation it's done as

setting variables : stock points = 10 ; offer.points = 100 ; offer.amount = 10

10 * 100 / 10 = 100 ether; so 100 ether will be added to user balance instead of 1 ether

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L687-L692

its supposed to be stock.points * * offer.amount / offer.points which is 10 ** 10 / 100 which gives 1 ether and should be the right amount the msg.sender gets back. This can go very high, as high as offer.points ratio to amount goes.

Impact

User gets way way more tokens than should have gotten.

Tools Used

Manual Review

Recommendations

I showed the right calculations above on what should be used