Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

incorrect token address used in `DeliveryPlace.settleAskTaker`

zer0

Summary

Incorrect token address used in DeliveryPlace.settleAskTaker, which results in the buyer can't receive point token

Vulnerability Details

In DeliveryPlace.settleAskTaker, the function calculates the amount of settled pointToken settledPointTokenAmount in DeliveryPlace.sol#L373-L374, and the pointToken is transferred from caller in DeliveryPlace.sol#L377-L382, as used in DeliveryPlace.sol#L379, marketPlaceInfo.tokenAddress is the point token address, and makerInfo.tokenAddress is supposed to be the collateral token address, thus in DeliveryPlace.sol#L387, incorrect token address is used.

335 function settleAskTaker(address _stock, uint256 _settledPoints) external {

336 IPerMarkets perMarkets = tadleFactory.getPerMarkets();

337 StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

...

372

373 uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint *

374 _settledPoints;

375 ITokenManager tokenManager = tadleFactory.getTokenManager();

376 if (settledPointTokenAmount > 0) {

377 tokenManager.tillIn(

378 _msgSender(),

379 marketPlaceInfo.tokenAddress,

380 settledPointTokenAmount,

381 true

382 );

383

384 tokenManager.addTokenBalance(

385 TokenBalanceType.PointToken,

386 offerInfo.authority,

387 makerInfo.tokenAddress, <<< --- ` marketPlaceInfo.tokenAddress` should be used here

388 settledPointTokenAmount

389 );

390 }

...

433 }

Impact

the buyer can't receive correct point token

Tools Used

Recommendations

diff --git a/src/core/DeliveryPlace.sol b/src/core/DeliveryPlace.sol

index 70cbb8e..ed86de5 100644

--- a/src/core/DeliveryPlace.sol

+++ b/src/core/DeliveryPlace.sol

@@ -384,7 +384,7 @@ contract DeliveryPlace is DeliveryPlaceStorage, Rescuable, IDeliveryPlace {

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

- makerInfo.tokenAddress,

+ marketPlaceInfo.tokenAddress,

settledPointTokenAmount

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.