Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Collateral Fee Miscalculation Due to Logical Inconsistency

swapnaliss

Vulnerability Details:

Within the closeBidTaker function, there exists a potential logical inconsistency in the sequence of condition checks. The function initially checks whether offerInfo.usedPoints exceed offerInfo.settledPoints before evaluating offerStatus. This order could result in unexpected behavior, as the decision-making process regarding the offerStatus is dependent on a preceding points comparison.

Impact:

This logical flaw could lead to incorrect computation of the collateralFee. Depending on the order of operations between the offer’s status and the points check, the function might execute the wrong logic branch, potentially causing inaccurate fee calculations. This could be exploited by malicious users to manipulate collateral fees or could lead to unintended outcomes that disrupt the contract's normal operations.

Proof of concept:

Link to code

Consider the following segment from the closeBidTaker function:

function closeBidTaker(address _stock) external {
// ... [earlier code omitted for brevity]
if (offerInfo.usedPoints > offerInfo.settledPoints) {
if (offerInfo.offerStatus == OfferStatus.Virgin) {
collateralFee = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
offerInfo.amount,
true,
Math.Rounding.Floor
);
} else {
// This branch is never reached if usedPoints <= settledPoints,
// even if the offer is not in Virgin status
uint256 usedAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Floor
);
collateralFee = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
usedAmount,
true,
Math.Rounding.Floor
);
}
}
// If usedPoints <= settledPoints, collateralFee remains 0
// ... [rest of the function]
}

In this scenario, if offerInfo.usedPoints <= offerInfo.settledPoints, the collateralFee is always set to 0, irrespective of the offer's status. This could lead to incorrect fee assessments, resulting in potential fund mismanagement.

Tools Used:

Manual Review

Recommendations:

*Prioritize offerStatus Checks: Reorganize the logic to evaluate the offer status before comparing points:

if (offerInfo.offerStatus == OfferStatus.Virgin) {
collateralFee = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
offerInfo.amount,
true,
Math.Rounding.Floor
);
} else if (offerInfo.usedPoints > offerInfo.settledPoints) {
uint256 usedAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Floor
);
collateralFee = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
usedAmount,
true,
Math.Rounding.Floor
);
} else {
// Address scenarios where usedPoints <= settledPoints
// Potentially setting collateralFee to 0 or recalculating accordingly
}

*Comprehensive Handling: Introduce explicit logic to manage all possible combinations of offerStatus and point comparisons, ensuring that all cases are thoroughly addressed.

*Add Validations: Implement additional checks and require statements to confirm the offer's state before performing any calculations.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.