Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Authority Check in settleAskTaker Function Prevents Proper Token Distribution

atharv181

Summary

The settleAskTaker function in DeliveryPlace.sol is designed to settle points in a stock. However, the function incorrectly checks if msg.sender is equal to offerInfo.authority instead of verifying that the caller is the owner of the stock. This prevents the rightful stock owner (taker) from distributing tokens, leading to a failure in delivering tokens to the offer maker.

Vulnerability Details

The settleAskTaker function is responsible for distributing tokens according to the points held in a stock. This function should be called by the authority of the stock, which is the owner of the stock (taker). However, the function currently includes the following check:

if (msg.sender != offerInfo.authority) {

revert Errors.Unauthorized();

}

This check ensures that only the authority associated with the offer, rather than the stock owner, can call the function. As a result, the stock owner (taker) is unable to settle the stock and distribute tokens. Consequently, the offer maker will not receive any tokens, disrupting the intended flow of the token distribution process.

Impact

This issue blocks the proper settlement of stocks, preventing the transfer of tokens from the stock owner to the offer maker. The failure to distribute tokens as expected can lead to financial loss for the offer maker.

Tools Used

Manual Code Review

Recommendations

Update the Authority Check: The settleAskTaker function should be updated to check if msg.sender is the owner of the stock, not the offer authority. The corrected logic should look like this:

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-settleAskTaker-wrong-stock-authority

Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.