Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

A Malicious Maker Can Game the System for Risk-Free Profit at the Expense of the Protocol

krisrenzo

Summary

The Tadle protocol does not adequately validate whether an offer creator can or will actually settle the points they create. This lack of validation opens the door for potential exploitation, where malicious users can create offers with no intention of settling, leading to significant risks for other participants in the marketplace.

Vulnerability Details

When a user creates an offer in the Tadle protocol, the system assumes that the points associated with the offer are legitimate and will be settled as intended. However, the mechanism put in place to ensure the points are settled are gamable.

The protocol does not validate whether users actually possess the points or are eligible for pointTokens when creating an offer. This oversight allows attackers to create offers for points (they know they can't settle), sell these points to recoup their collateral, and make risk-free profits from trade taxes and order bonuses. In this scenario, legitimate point holders are left holding worthless points, leading to potential losses.

Proof of Concept

An attack creates Ask offer in turbo mode for 1000 points and a collateral of 1000 USDC.
When a taker trades with them and buys all their points, the taker sends the attacker their deposited amount and trade tax.
- See here the start of the transfer process
- The trade tax is sent here
- The taker sends the attacker (Maker) their deposit as SalesRevenue.
The taker sends 1000 USD (and additional Trade tax) to the attackers Tadle account, which they can withdraw.
The Attacker immediately withdraws their revenue which effectively recoups their collateral.

Now here is the exploit

The attacker has already recouped their collateral cost, and still earns trade tax every time their points is traded as the are the original maker.
Every trade tax paid, is a risk-free profit, and they earn this profit until the market status updates to Ask settling.

Now check this:
The attacker currently has the collateral, revenue, and pointTokens in their raw balance and absolutely nothing stopping them from walking away, and letting the protocol accrue the loss.

Impact

Loss of funds for the protocol which falls on the last person to withdraw their deposit of the related token.

Tools Used

Manual code review

Recommendations

Do not allow the Makers access their total revenue before settlement to reduce the risk of exploitation and protect users from potential losses.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.