Tadle

Summary

In the protocol there is a MarketPlaceInfo struct holding the current status of the marketplace. A marketplace is created in the SystemConfig.sol only by the owner of the contract. The struct contains marketPlaceStatus which is used in many places in the protocol for being able to call certain functions meaning it is very important one. It can be set to five different status types :
UnInitialized, Online, AskSettling, BidSettling, Offline

When for example an bid/ask offer/order is being called to be closed/settled the marketplace status is always checked to make sure that the status is the correct one for the certain function. When the status of the marketplace must be changed updateMarketPlaceStatus() is being called only by the owner again to change it. This makes the whole protocol functionality dependent on the owner address .

Vulnerability Details

The whole protocol functionality is strongly dependent of the the owner address of SystemConfig.sol for updating the current marketPlaceStatus manualy, expecting that the owner address must be always online on time everytime when the market status must be updated so the cycle of the market can continue, and if he is not able to do so on time the collateral of users deposited in the protocol can be frozen or the whole market cycle.
For example In the docs is said that Once the project tokens are released, the settlement deadline will count down for 24 hours up to 72 hours (depending on the users offer details) but as we can see no check for that period being started or ended is being checked depending fully on the owner address .

Impact

Market cycle and user funds can be frozen duo to centralization dependencie.

Tools Used

Manual review

Recommendations

Implement a functionality for automatic transition atleast for status = AskSettling, BidSettling, by setting any period activity for each of them and when the period is over move to the next one.