Tadle

Summary

Some users that listed offer will get collateral when they should not

Vulnerability Details

In PreMarkets.listOffer(), users that purchased points from an original offer but wants to trade them (kind of life second hand) can invoke this function and put their "supposedly" purchased points up for sale, then wether they deposit collateral or not depends on the original offer settle type "makerInfo.offerSettleType" so if its turbo you do not deposit collateral if it is protected you deposit collateral https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L335-L362

So during settlement assuming everyone is honest this user gets all the pointsTokens originally purchased from initial offer by calling DeliveryPlace.closeBidTaker(), then heads over to settleAskMaker() in the same contract to settle pointsToken, there is no check if "offersettleType" was "turbo" or "purchased" it simply updates the userBalance with collateral tokens in the form of a refund https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L275-L307

Impact

Users will get collateral that they never deposited and the collateral can be very high amounts of tokens

Tools Used

Manual Review

Recommendations

Check if "offersettleType" for offers that their authority are not the makers too because when creating a new offer entierly you deposit regardless if it is turbo or protected.