Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No Collateral Required for Selling Points to a Turbo Bid Maker

krisrenzo

Summary

When users call PreMarket::createTaker to sell points to a Bid maker, they are not required to provide collateral for those points, irrespective of the mode, leading to a loss for the Maker.

Vulnerability Details

An attacker can exploit this by acting as an Ask Taker and creating a stock to sell phantom points to a victim Bid Maker. The protocol does not validate if the Ask Taker actually possesses the points they are selling, allowing them to bypass providing collateral.

Below is the function responsible for handling Takers deposits when they trade with makers

function _updateTokenBalanceWhenCreateTaker(
address _offer,
uint256 _tradeTax,
uint256 _depositAmount,
OfferInfo storage offerInfo,
MakerInfo storage makerInfo,
ITokenManager tokenManager
) internal {
if (
_offer == makerInfo.originOffer ||
makerInfo.offerSettleType == OfferSettleType.Protected
) {
tokenManager.addTokenBalance(
TokenBalanceType.TaxIncome,
offerInfo.authority,
makerInfo.tokenAddress,
_tradeTax
);
} else {
tokenManager.addTokenBalance(
TokenBalanceType.TaxIncome,
makerInfo.authority,
makerInfo.tokenAddress,
_tradeTax
);
}
/// @dev update sales revenue
@> if (offerInfo.offerType == OfferType.Ask) { // note this checks if the Maker is an Asker, which he isn't
tokenManager.addTokenBalance(
TokenBalanceType.SalesRevenue,
offerInfo.authority,
makerInfo.tokenAddress,
_depositAmount
);
} else {
tokenManager.addTokenBalance(
TokenBalanceType.SalesRevenue,
@> _msgSender(), // The taker credits his own Tadle account, which he can withdraw immediately
makerInfo.tokenAddress,
_depositAmount
);
}

Also, this note that this attack only works in turbo mode

How the Exploit Works:

  1. Attacker Creates a Stock: The attacker creates a stock to sell points to a victim turbo Bid Maker without actually holding the points.

  2. Victim's Used Points Increase: The victim’s usedPoints are increased, as seen in this code segment, effectively griefing the victim.

  3. Griefing with Minimal Cost: Although the victim receives _tradeTax, their loss is significantly greater due to the increased usedPoints. The attacker can then withdraw their deposit after their balance is credited to their Tadle account.

  4. No Collateral Required: This is possible because the protocol incorrectly assumes that points can only be sold through createOffer and listOffer, leading to the omission of collateral requirements for Ask Takers.

Impact

This vulnerability allows attackers to grief other users on the platform with minimal transaction costs, potentially leading to financial loss and disrupted trades for the victim.

Tools Used

  • Manual analysis

Recommendations

To mitigate this issue, the protocol should implement checks to ensure that Ask Takers possess the points they are selling and require collateral for these points. Additionally, the protocol should revert calls made by Ask Takers who fail to meet these requirements.

Updates

Lead Judging Commences

0xnevi Lead Judge
12 months ago
0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

krisrenzo Submitter
12 months ago
0xnevi Lead Judge
12 months ago
krisrenzo Submitter
12 months ago
krisrenzo Submitter
12 months ago
krisrenzo Submitter
12 months ago
krisrenzo Submitter
12 months ago
krisrenzo Submitter
12 months ago
0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.