Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`PreMarkets::listOffer` uses the wrong `collateralRate` variable, which might lead to loss of funds and unexpected errors.

amaron

Summary

the listOffer function allows users to list the stock they have purchased, if the mode set to protected, they can choose their own collateralRate by passing in the _collateralRate they prefer.
however, they calculate the collateral that need to be transferred to the protocol by the origin offer collateralRate, which might calculate a different collateral, and wlll lead to user's loss of funds.

Vulnerability Details

the users call listOffer and specify and _collateralRate:

function listOffer(address _stock, uint256 _amount, uint256 _collateralRate) external payable

however, the protocol calculates the collateral to be transferred by the original offer's collateralRate and not the user's input:

OfferInfo storage offerInfo = offerInfoMap[stockInfo.preOffer];

...

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

/// @dev transfer collateral when offer settle type is protected

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

@> offerInfo.offerType, offerInfo.collateralRate, _amount, true, Math.Rounding.Ceil

); //@audit - medium- takes in the original collateralrate, and not the user's input collateral rate!! should be _collateral..

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(_msgSender(), makerInfo.tokenAddress, transferAmount, false);

}

and then the additional calculations are being made on the _collateralRate the user's chose, therefore, if the mode is protected, and the user chose a different collateralRate, the original collateralRate will be taken into account when transferred, however, the stored info will include the user's _collateralRate

Impact

this might lead to user's loss of funds, or unexpected errors and differences in the tokens balances.

Tools Used

manual review

Recommendations

use _collateralRate instead of offerInfo.collateralRate.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-listOffer-collateralRate-manipulate

Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.