Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

incorrect address used in `DeliveryPlace.closeBidTaker`

zer0

Summary

Function DeliveryPlace.closeBidTaker is supposed to close a buy take, and the amount of pointToken is supposed to be updated at the end of the function instead of makerInfo.tokenAddress in DeliveryPlace.sol#L198

Vulnerability Details

In DeliveryPlace.closeBidTaker, the function is used to close bid taker, and in DeliveryPlace.sol#L190-L194, the pointTokenAmount is calculated, thus in DeliveryPlace.sol#L195-L200, the balance should be updated is marketPlaceInfo.tokenAddress instead of makerInfo.tokenAddress, because makerInfo.tokenAddress stands for collateral token, and marketPlaceInfo.tokenAddress stands for pointToken

96 function closeBidTaker(address _stock) external {

...

178 uint256 userCollateralFee = collateralFee.mulDiv(

179 userRemainingPoints,

180 offerInfo.usedPoints,

181 Math.Rounding.Floor

182 );

183

184 tokenManager.addTokenBalance(

185 TokenBalanceType.RemainingCash,

186 _msgSender(),

187 makerInfo.tokenAddress,

188 userCollateralFee

189 );

190 uint256 pointTokenAmount = offerInfo.settledPointTokenAmount.mulDiv(

191 userRemainingPoints,

192 offerInfo.usedPoints,

193 Math.Rounding.Floor

194 );

195 tokenManager.addTokenBalance(

196 TokenBalanceType.PointToken,

197 _msgSender(),

198 makerInfo.tokenAddress, <<< --- Here, `marketPlaceInfo.tokenAddress` should be used

199 pointTokenAmount

200 );

201

202 perMarkets.updateStockStatus(_stock, StockStatus.Finished);

203

...

212 }

Impact

Buyer can't receive the correct pointToken

Tools Used

Recommendations

diff --git a/src/core/DeliveryPlace.sol b/src/core/DeliveryPlace.sol

index 70cbb8e..b5b8624 100644

--- a/src/core/DeliveryPlace.sol

+++ b/src/core/DeliveryPlace.sol

@@ -195,7 +195,7 @@ contract DeliveryPlace is DeliveryPlaceStorage, Rescuable, IDeliveryPlace {

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

- makerInfo.tokenAddress,

+ marketPlaceInfo.tokenAddress,

pointTokenAmount

);

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.