Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Pausing Withdrawal Function Can Unintentionally Grief Protocol Users

krisrenzo

Summary

Pausing the withdrawal function can prevent a protected mode Ask offer maker (non-OriginalMaker) from withdrawing their pointTokens, leading to various issues.

Vulnerability Details

When users call PreMarket::listOffer to sell points bought from another offer in protected mode, it creates another link in the chain of offers that must settle with each other, starting from the original offer maker. Consider the scenario discussed in the [Tadle documentation, where a chain of offer makers relies on each other to settle the bidder takers](https://tadle.gitbook.io/tadle/how-t works/mechanics-of-tadle/protected-mode#for-sell-offers).

TRANSACTION PROCESS

Transaction #1: Alice’s Sell Offer
Alice, the initial market maker, lists 1,000 points for sale at $1 per unit and deposits $1,000 as collateral.
Transaction #2: Bob’s Buy Offer
Bob buys 500 points from Alice for $500. This amount is credited to Alice's balance and is available for withdrawal.
Transaction #3: Bob’s Relisting
Bob, now a maker, lists the 500 points he purchased at a price of $1.10 per point and deposits $550 as collateral.
Transaction #4: Cathy’s Buy Offer
Cathy buys another 500 points from Alice at $1 per unit, paying $500. This amount is added to Alice's balance and is available for withdrawal.
Transaction #5: Dany’s Buy Offer
Dany buys 500 points from Bob at $1.10 per unit, paying $550. This amount is credited to Bob's balance and is available for withdrawal.
Transaction #6: Dany’s Sell Offer at a Lower Unit Price
Dany lists the 500 points at a price of $0.99 per point and deposits $495 as collateral into the smart contract.
Transaction #7: Evan Purchases From Dany
Evan buys 200 points from Dany, paying $198. This amount is credited to Dany's balance and is available for withdrawal.
However, if Dany decides to close the offer early, he retains the remaining 300 points, and the contract refunds $297, which can be withdrawn or used to restore the listing in Dany's balance.
If Dany decides to restore the listing, the offer price must remain $0.99 and cannot be changed. The offer will show a completion progress of 40%, and the wallet balance needs to be topped up accordingly.

SETTLEMENT PROCESS

Alice settles 500 points with Cathy.
Alice settles 500 points with Bob.
Bob settles 500 points with Dany.
Dany settles 200 points with Evan.

As we can see, before Dany can settle with Evan and avoid the punishment for failing to settle on time, he must wait for everyone up the chain to settle themselves.

The Issue

The settlement process sends the received pointTokens to the receiver's Tadle balance. If the withdrawal function is paused, it causes a significant delay in the settlement process, especially since users have a "settlement deadline" of 24 to 72 (max) hours, according to the documentation. Additionally, considering there is no limit to how long this chain can grow, the likelihood of the vulnerability increases significantly, especially as the protocol's user base grows.

Impact

There is a high likelihood of potential loss of collateral funds for the Ask settlers.

Tools Used

Manual

Recommendations

Consider sending the received pointTokens directly to the receiver's address. Also, cap the chain of sub-offers. Lastly, perform a pro and con analysis of having the pause functionality on the TokenManager::withdraw function.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Appeal created

krisrenzo Submitter
12 months ago
0xnevi Lead Judge
12 months ago
krisrenzo Submitter
12 months ago
0xnevi Lead Judge
12 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.