Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`updateMarket` function in the smart contract `SystemConfig` can be called before settlement time

waydou

Summary

The updateMarket function in the smart contract SystemConfig allows the owner to update critical market parameters, including token address, token per point, TGE (Token Generation Event), and settlement period. However, the function is vulnerable due to the lack of checks ensuring that the settlement period has passed before updating the market. This discrepancy between the function's implementation and its NatSpec documentation creates a significant security risk.

Vulnerability Details

The updateMarket function is intended to allow updates to market parameters only after the settlement period has passed. However, there is no check in the function to ensure that this condition is met. This oversight allows the owner to update market parameters at any time, even before the settlement period has concluded.

/**
* @notice Update market when settlement time is passed
* @param _marketPlaceName Market place name
* @param _tokenAddress Token address
* @param _tokenPerPoint Token per point
* @param _tge TGE
* @param _settlementPeriod Settlement period
* @notice Caller must be owner
*/
function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
_marketPlaceName
);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[
marketPlace
];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(
_marketPlaceName,
marketPlace,
_tokenAddress,
_tokenPerPoint,
_tge,
_settlementPeriod
);
}

Impact

The owner could prematurely update the market parameters, including the token address and token-per-point ratio, potentially manipulating the market to their advantage or simply breaking the protocol. This could result in significant financial losses for participants relying on the integrity of the settlement period. Investors expect that the market will only be updated after the agreed-upon settlement period, and having a function that can break the protocol could cause dispute and make people lose trust in the protocol.

Tools Used

Manual Review

Recommendations

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
_marketPlaceName
);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[
marketPlace
];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
+ require(block.timestamp >= marketPlaceInfo.tge + marketPlaceInfo.settlementPeriod, "Settlement period has not passed");
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(
_marketPlaceName,
marketPlace,
_tokenAddress,
_tokenPerPoint,
_tge,
_settlementPeriod
);
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.