Collateral tokens are incorrectly refunded in `PreMarkets.abortAskOffer()`
Relevant GitHub Links
Summary
PreMarkets.abortAskOffer() allows offer owner to close offer and refund unused collateral tokens. Because of incorrect calculation, user would get fewer collateral tokens back than it should be.
Vulnerability Details
To get refund amount we need to know 2 values: total deposited collateral amount and collateral amount that is already used. Let's take a look at block which determines remaining amount of collateral:
If offer status is OfferStatus.Virgin then no points were used and remainingAmount is all amount of collateral that was deposited. If offer status is OfferStatus.Canceled then we should get difference between all tokens and used tokens but in condition statement, we only get the collateral amount of used points which is wrong.
Impact
Offer owner can not get all unused collateral tokens back when aborting ask offer.
Recommended Mitigation Steps
Change calculation of else block to this:
Lead Judging Commences
[invalid] finding-PreMarkets-abortAskOffer-remainingAmount-compute
Valid high, for cancelled offers, the unused collateral should be returned back to the maker. The `remainingAmount` is calculated wrongly with regards to usedPoints instead of unused points. Note: See comments under 826 and 907 for invalidation reasons
Appeal created
[invalid] finding-PreMarkets-abortAskOffer-remainingAmount-compute
Valid high, for cancelled offers, the unused collateral should be returned back to the maker. The `remainingAmount` is calculated wrongly with regards to usedPoints instead of unused points. Note: See comments under 826 and 907 for invalidation reasons
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.