Incorrect Calculation
Summary
The calculation for the depositAmount in the PreMarktes::abortBidTaker is largely incorrect.
Vulnerability Details
The PreMarktes::abortBidTaker function refunds the taker's tokens after an offer has been aborted, it calculates the amount to refund the taker by (multiplying stockInfo.points by PreOfferInfo.points and dividing by PreOfferInfo.amounts) which is very incorrect.
Impact
Scenario:
User1 creates an offer with amount = 0.1e18, points = 10000, collateral = 150% token = USDC/Any supported
User2 matches the order by calling
createTakeron user1's offer with points = 3000 and pays 0.3e17 (excluding fees)User1 aborts his offer by calling
abortAskOfferUser2 calls
abortBidTakerto get his refund but the amount refunded = 0.3e-9 approximately 0
This results in the taker's refund being very minimal if not zero.
Tools Used
Manual Analysis
Recommendations
Change the calculation for the depositAmount in the PreMarktes::abortBidTaker function.
Lead Judging Commences
finding-PreMarkets-abortBidTaker-amount-wrong-StockInfo-points
Valid high severity, due to incorrect computation of `depositAmount` within `abortBidTaker`, when aborting bid offers created by takers, the collateral refund will be completely wrong for the taker, and depending on the difference between the value of `points` and `amount`, it can possibly even round down to zero, causing definite loss of funds. If not, if points were worth less than the collateral, this could instead be used to drain the CapitalPool contract instead.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.