Tadle

Tadle
DeFi
30,000 USDC
View results
Submission Details
Severity: high
Valid

Incorrect authority validation in `DeliverPlace.settleAskTaker()`.

Summary

settleAskTaker() validates the authority incorrectly.

Vulnerability Details

In settleAskTaker(), an ask taker might be unable to settle if the status is AskSettling.

function settleAskTaker(address _stock, uint256 _settledPoints) external {
IPerMarkets perMarkets = tadleFactory.getPerMarkets();
StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);
(
OfferInfo memory offerInfo,
MakerInfo memory makerInfo,
MarketPlaceInfo memory marketPlaceInfo,
MarketPlaceStatus status
) = getOfferInfo(stockInfo.preOffer);
//
if (status == MarketPlaceStatus.AskSettling) {
if (_msgSender() != offerInfo.authority) { //@audit
revert Errors.Unauthorized();
}
}

It requres the caller should be the offerInfo.authority which is incorrect.

The caller should be stockInfo.authority who has called createTaker() while matching a maker offer.

Impact

An ask taker wouldn't settle the trade due to the incorrect authority validation.

Tools Used

Manual Review

Recommendations

settleAskTaker() should check if the caller is stockInfo.authority, not offerInfo.authority.

if (status == MarketPlaceStatus.AskSettling) {
- if (_msgSender() != offerInfo.authority) {
+ if (_msgSender() != stockInfo.authority) {
revert Errors.Unauthorized();
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-settleAskTaker-wrong-stock-authority

Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.