Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Taker's creator could take any amount of points from the offer.

maushishreal

Summary

Premarkets.sol#createTaker() has implemented a check opposite to the intended design.

Vulnerability Details

During the creation of the taker total points of an offer should be more than the taker & offer-used points combined which is also represented in the natspec:

function createTaker(address _offer, uint256 _points) external payable {

/**

* @dev offer must be virgin

* @dev points must be greater than 0

* @dev total points must be greater than used points plus _points

if (_points == 0x0) {

revert Errors.AmountIsZero();

}

OfferInfo storage offerInfo = offerInfoMap[_offer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

if (offerInfo.offerStatus != OfferStatus.Virgin) {

revert InvalidOfferStatus();

}

if (offerInfo.points < _points + offerInfo.usedPoints) {//<------------- Issue

revert NotEnoughPoints(

offerInfo.points,

offerInfo.usedPoints,

_points

);

}

...

}

The check has been implemented opposite of the intended design due to which takers could be created with any amount of points that the caller of this function wants.

Impact

Takers could be created with any amount of points

Tools Used

Manual review

Recommendations

function createTaker(address _offer, uint256 _points) external payable {

/**

* @dev offer must be virgin

* @dev points must be greater than 0

* @dev total points must be greater than used points plus _points

if (_points == 0x0) {

revert Errors.AmountIsZero();

}

OfferInfo storage offerInfo = offerInfoMap[_offer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

if (offerInfo.offerStatus != OfferStatus.Virgin) {

revert InvalidOfferStatus();

}

- if (offerInfo.points < _points + offerInfo.usedPoints)

+ if (offerInfo.points > _points + offerInfo.usedPoints)

{

revert NotEnoughPoints(

offerInfo.points,

offerInfo.usedPoints,

_points

);

}

...

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.