Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Function abortAskOffer(address, address) calculates makerRefundAmount wrongly

matejdb

Summary

abortAskOffer(address, address) on PreMarkets contract is calculating makerRefundAmount incorrectly if the offer was canceled beforehand which leads to a lost of user funds.

Vulnerability Details

If the user canceled the offer before aborting it - he should not receive the entire amount in question because he was refunded the unsold amount during cancelation:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L441C1-L455C15

The cancellation of the offer and its remaining amount to recover for the maker is checked on an if condition:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L584C1-L593C10

If an offer was canceled - the remainingAmount variable should reflect the amount that was not sold yet.

Unfortunately, the rest of the calculations - from line 595 to 613 do not properly reflect the remaining amount that is to be refunded. It looks like the calculations were made without consideration if the offer was canceled beforehand.

Concluding from the code, we determine that the transferAmount should have included the entire amount into its calculation and not just the remainingAmount.

Because of this - canceled offers can not be properly refunded.

Impact

Funds are not properly accounted for and lost for the user - he can not recover them by aborting the ask offer.

We conclude this to be of HIGH severity.

Tools Used

Manual review

Recommendations

Implement a proper mechanism for recovering funds from a canceled ask offer.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

[invalid] finding-PreMarkets-abortAskOffer-Canceled exploit

Note, #148, #826, #1784 all stems from the fact that order statuses are not appropriately updated when a taker order is created against a maker offer. If the status is switched to `Ongoing/Filled` respectively, the virgin checks will fail appropriately and subsequently all this issues will be fixed. They could possibly be duplicates, so leaving open for appeal. This actually is closely related to issue #148. If a taker has created an Bid/Ask offer agains a original maker offer and the Status is adjusted to Ongoing/Filled accordingly, then the abortion/cancellations cannot occur so this issue cannot be exploited.

Appeal created

0xbrivan2 Auditor
11 months ago
0xnevi Lead Judge
10 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-PreMarkets-abortAskOffer-Canceled exploit

Note, #148, #826, #1784 all stems from the fact that order statuses are not appropriately updated when a taker order is created against a maker offer. If the status is switched to `Ongoing/Filled` respectively, the virgin checks will fail appropriately and subsequently all this issues will be fixed. They could possibly be duplicates, so leaving open for appeal. This actually is closely related to issue #148. If a taker has created an Bid/Ask offer agains a original maker offer and the Status is adjusted to Ongoing/Filled accordingly, then the abortion/cancellations cannot occur so this issue cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.