Potential Griefing Vulnerability in `PreMarkets::abortAskOffer` Function
Summary
malicious user can prevent users from calling abortAskOffer by causing their offerInfo.abortOfferStatus being SubOfferListed.
Vulnerability Details
the abortAskOffer implements the following check:
a malicious user can, change their offerInfo.abortOfferStatus by calling createTaker, and then listOffer (*if the type is turbo) preventing users from aborting their offers.
since the listOffer, changes the AbortOfferStatus of the original offer:
a user can prevent users from aborting their ask offers.
Impact
a user can "buy" and list as "sell" users ask offers, sometimes with as low as 1 wei, to prevent them from aborting their offers.
Tools Used
manual review
Recommendations
consider adding a minimum number of points to purchase, to prevent griefing being easy and cheap.
Lead Judging Commences
[invalid] finding-PreMarkets-abortAskOffer-revert-SubOfferListed
This findings hinges on the fix to #1616. Since it DoSes abortAskOffer that should be allowed, medium severity seems appropriate. Note for invalidation: This highlights a potential inconsistency that sellers should be able to cancel their orders at any time if they are not fulfilled and retrieve their collateral as noted in the [doc](https://tadle.gitbook.io/tadle/product/points-marketplace#how-tadle-unlock-points-liquidity-on-our-marketplace). However, not how it mentions `if applicable` . > Upon completing the trade, the seller will receive the funds instantly, without having to wait for the token unlock at TGE. Sellers can cancel their orders at any time if they are not fulfilled and retrieve their collateral, if applicable. So one can interpret it as once a bid taker offer is created against an orign maker ask offer, the revenue earned represented by SalesRevenue (see issue #826 and #765 for more indepth explanation) is assigned to the origin maker that can be withdrawed immediately (meaning order is already fulfilled). So arguably, in turbo mode, once an sub offer is listed, it is an acceptable design decision to disallow termination even if the suboffer is not settled, given taker should be the rightful holder of the 100 points (per the PoC) i.e. the maker should settle, if not they can walk away with the collateral paid by taker FOC. I believe this issue is invalid
Appeal created
[invalid] finding-PreMarkets-abortAskOffer-revert-SubOfferListed
This findings hinges on the fix to #1616. Since it DoSes abortAskOffer that should be allowed, medium severity seems appropriate. Note for invalidation: This highlights a potential inconsistency that sellers should be able to cancel their orders at any time if they are not fulfilled and retrieve their collateral as noted in the [doc](https://tadle.gitbook.io/tadle/product/points-marketplace#how-tadle-unlock-points-liquidity-on-our-marketplace). However, not how it mentions `if applicable` . > Upon completing the trade, the seller will receive the funds instantly, without having to wait for the token unlock at TGE. Sellers can cancel their orders at any time if they are not fulfilled and retrieve their collateral, if applicable. So one can interpret it as once a bid taker offer is created against an orign maker ask offer, the revenue earned represented by SalesRevenue (see issue #826 and #765 for more indepth explanation) is assigned to the origin maker that can be withdrawed immediately (meaning order is already fulfilled). So arguably, in turbo mode, once an sub offer is listed, it is an acceptable design decision to disallow termination even if the suboffer is not settled, given taker should be the rightful holder of the 100 points (per the PoC) i.e. the maker should settle, if not they can walk away with the collateral paid by taker FOC. I believe this issue is invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.