Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Check for Settlement Period in `SystemConfig::updateMarket` Function

hunter_w3b

Summary

The SystemConfig::updateMarket function lacks a validation check to ensure that the settlement period has elapsed before allowing updates to market information. This permits the owner to invoke the function at any time, potentially disrupting ongoing trades.

Vulnerability Details

The updateMarket function is responsible for updating critical market parameters. However, it does not validate whether the settlement period has expired before proceeding with the update. This can lead to the function being called prematurely during an active trading session.

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(_marketPlaceName);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[marketPlace];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(_marketPlaceName, marketPlace, _tokenAddress, _tokenPerPoint, _tge, _settlementPeriod);
}

Impact

The absence of a check for the settlement period allows the function to be executed at any time, even before the intended settlement period has elapsed.

Tools Used

Manual review

Recommendations

It is recommended to implement a validation check in the updateMarket function to ensure that the settlement period has passed before proceeding with any updates. This can be accomplished by comparing the current block timestamp with the sum of the Token Generation Event (TGE) timestamp and the settlement period.

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(_marketPlaceName);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[marketPlace];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
+ if (block.timestamp < marketPlaceInfo.tge + marketPlaceInfo.settlementPeriod) {
+ revert SettlementPeriodNotPassed();
+ }
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(_marketPlaceName, marketPlace, _tokenAddress, _tokenPerPoint, _tge, _settlementPeriod);
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!