Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

a call to `TokenManager::updateTokenWhiteListed` can brick the offers (that have a status other than `Online`) of the marketplaces that had their tokenAddress "unwhitelisted".

0xspryon

Relevant Links

Summary

DeliveryPlace::settleAskTaker and DeliveryPlace::settleAskMaker all call TokenManager::tillIn providing the tokenAddress of the appropriate marketplace.
The method TokenManager::updateTokenWhiteListed which can be used to "unwhitelist" ( in other words disable) a token to be used in the app does not take into account that there might exist offers ( that belong to a marketplace whose token has just been disabled) that are perhaps in the AskSettling or BidSettling stage that might perhaps have already been partially "asked" on by caling DeliveryPlace::settleAskMaker or DeliveryPlace:SettleAskTaker. I should not that, we can not update the tokenAddress of a marketplace.

Vulnerability Details

Offers whose token address have been unwhitelisted can no longer be settled completely. even if it was partially settled before the unwhitelisting.

Impact

Offers are created that can not be completely settled.

Tools Used

Manual review

Recommendations

update the TokenManager::updateTokenWhiteListed method to include the following:
If we wish to disable tokenA, we should provide another whitelisted token tokenB with which we'll update all the market places that had their token address previously set to tokenA ( MarketPlaceInfo.tokenAddress == tokenA )
Or prevent disabling a token if there are partially settled offers for this token

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.