Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Ask makers/takers will not get collateral back under certain circumstances

pascal

Summary

When ask makers settle points that is < offerInfo.usedPoints, they don't get back the collateral of the points that they actually settled.

Vulnerability Details

Using plain language; when a user wants to sell points and creates an offer (maker) the protocol collects collateral in addition to the amount they want to sell the points for as a kind of incentive to ensure they follow through on the deal so after the deal is settled they get back the amount they deposited initially. This issue lies when ask makers want to settle points with DeliveryPlace.settleAskMaker(), but settles below the offerInfo.usedPoints(used points is amount of points buyers bought from the offer), so the maker is supposed to get collateral back for the one they actually settled but they do not, the offer is settled and the function ends abruptly after the first if statement.

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L276-L307

This whole thing happens again when an AskTaker wants to settle points with DeliverPlace.settleAskTaker() and settles less than the points promised all the collateral is added to the makers userBalance and they lose even the collateral for the point that was settled .

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L400-L414

Impact

Ask maker/taker loses collateral every single time they settle less than the used points.

Tools Used

Manual Review

Recommendations

After the if statement checks in settleAskMaker() create another else statment that deducts settle points from offerInfo.usedPoints when it is less and refund the ask makers their collateral . Same for settleAskTaker()

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-settleAskMaker-partial-settlements

Valid high, in settleAskTaker/settleAskMaker, if the original offer maker performs a partial final settlement, the existing checks [here](https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L356-L358) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L230-L232) will cause an revert when attempting to complete a full settlement, resulting in their collateral being locked and requiring a rescue from the admin. To note, although examples in the documentation implies settlement in a single click, it is not stated that partial settlements are not allowed, so I believe it is a valid user flow.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.