Call the `TokenManager::updateTokenWhiteListed` function when market place have their tokenAddress in "unwhitelisted" can break offer with status different to 'Online'
Relevant GitHub Links
Summary
Offers whose tokenAddress has been deactivated can no longer be fully satisfied.
Vulnerability Details
The DeliveryPlace::settleAskTaker and DeliveryPlace::settleAskMakerfunctions call TokenManager::tillIn providing the tokenAddress of the appropriate marketplace.
The method TokenManager::updateTokenWhiteListed which can be used to disable a token ("unwhitelist")who ill be used in the app does not take into account that there might exist offers. That can be in the AskSettling or BidSettling stage that might certainly have already been partially "asked" on by caling DeliveryPlace::settleAskMaker or DeliveryPlace:SettleAskTaker.
In TokenManager contract:
In DeliveryPlace contract:
Impact
Creation of some offers that will not be fully satisfied.
Tools Used
Manual anlysis.
Recommendations
prevent disabling a token if there are offers that are currently being settled with this token.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.