Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect TokenAddress

_frolic

Summary

Incorrect tokenAdress being used in the Premarktes::settleAskTaker and PreMarktes::closeBidTaker causing the wrong tokens to be sent.

Vulnerability Details

In https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L384

tokenManager.addTokenBalance(
TokenBalanceType.PointToken,
offerInfo.authority,
makerInfo.tokenAddress, //Wrong tokenAddress
settledPointTokenAmount
);

and https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L195

tokenManager.addTokenBalance(
TokenBalanceType.PointToken,
_msgSender(),
makerInfo.tokenAddress, //wrong tokenAddress
pointTokenAmount
);

the point token amount is added to a user's balance but with the wrong token address.

Impact

The receiving user does not get the point token but instead gets the token whose token address was provided which is bad because the whole point of participating in the protocol for the receiver was to get the point token.

And for the protocol, it loses the tokens given to the receiver.

Tools Used

Manual Analysis

Recommendations

Change the token address provided to the point token address.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.