Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`DeliveryPlace::settleAskTaker` allows the authority of offer to call it instead of the stock's authority leading to no PointToken trade.

shikhar229169

Summary

The settleAskTaker function is expected to be call by the taker, as they are the one who will be selling the points, during AskSettling status.
But the function implements an incorrect access control where it only makes the function to be callable authority of the offer, which is the one who has directly created the offer to buy points.
As a result of which the taker can never sell points to the bid offer maker, due to the function reverting when taker calls it.

Vulnerability Details

The vulnerability is present in the settleAskTaker function where it allows the offer's maker (authority) to call the function instead of the offer taker.
The AskTaker is the person who will be selling the points to the offer's authority (i.e. its direct maker), and it is expected that the function to be callable by AskTaker so that they can settle the PointToken to the offer's authority.
But due to incorrect access control check the function doesn not allow the ask taker to call it and no token points trade can be made.
The function allows the offer's authority to call it and tt is insignificant to allow the authority of offer maker which has placed a buy offer to call the function.
The incorrect code snippet is below:

if (status == MarketPlaceStatus.AskSettling) {

@> if (_msgSender() != offerInfo.authority) {

revert Errors.Unauthorized();

}

} else {

if (_msgSender() != owner()) {

revert Errors.Unauthorized();

}

if (_settledPoints > 0) {

revert InvalidPoints();

}

Here offerInfo.authority will be the direct maker of the offer, and they expect the taker (i.e. authority of stockInfo) to allocate the point tokens to them as a result of which the function only allowing them will make the trade to never happen.

Impact

The taker (AskTaker or stockInfo.authority) will never be able to call function, as a result of which PointToken cannot be allocated to the direct offer maker.

Tools Used

Manual Review

Recommendations

Perform the updation:

- if (_msgSender() != offerInfo.authority) {

+ if (_msgSender() != stockInfo.authority) {

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-settleAskTaker-wrong-stock-authority

Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.