Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`PreMarkets.listOffer()` uses an incorrect collateral rate during a collateral calculation.

bladesec

Summary

PreMarkets.listOffer() uses an incorrect collateral rate during a collateral calculation.

Vulnerability Details

In listOffer(), the caller deposits collateral when offer settle type is Protected and it calculates collateral amount using offerInfo.collateralRate.

File: PreMarkets.sol
345: /// @dev transfer collateral when offer settle type is protected
346: if (makerInfo.offerSettleType == OfferSettleType.Protected) {
347: uint256 transferAmount = OfferLibraries.getDepositAmount(
348: offerInfo.offerType,
349: offerInfo.collateralRate, //@audit wrong rate
350: _amount,
351: true,
352: Math.Rounding.Ceil
353: );
354:
355: ITokenManager tokenManager = tadleFactory.getTokenManager();
356: tokenManager.tillIn{value: msg.value}(
357: _msgSender(),
358: makerInfo.tokenAddress,
359: transferAmount,
360: false
361: );
362: }

listOffer() has a _collateralRate param which will be used to update the offer info with and the collateral amount should be calculated with this collateral rate.

Impact

listOffer() wouldn't work properly for Protected type as it calculates collateral amount wrongly.

Tools Used

Manual Review

Recommendations

listOffer() should use _collateralRate instead of offerInfo.collateralRate for Protected type.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-listOffer-collateralRate-manipulate

Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.