Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Makers listing offers using turbo mode can cause the bidder loss of funds.

VaRuN

Summary

The offers listed via turbo mode can cause loss of funds for the buyer as they won't get any points and cannot get their bid amount back.

Vulnerability Details

If an ask offer is listed through turbo mode then there is no need of any collateral. So now if a buyer(bidder) buys those points then if first transfers the tokens to the offer owner. Now that owner receives the funds becasue initially tokens are transferred by the buyer and then tokens are settled by the maker. Now if the maker doesn't settles the tokens then there is no loss for maker as he didn't transfer any collateral plus as the offer remains in virgin state the buyer cannot get back his bid amount thus loss of funds.

Impact

Loss of funds for the buyer.

Tools Used

Manual Review

Recommendations

Maybe transfer the bid amount to the maker of turbo mode after the settlement of the points and introduce some logic which enables the biders to get back their tokens if the maker doesn't settles in turbo mode.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

[invalid] finding-DeliveryPlace-owner-do-not-call-settleAskMaker

Invalid, the makers are incentivized to settle offers to earn maker bonuses when subsequent takers and makers make trade using the original collateral put up for points as well as get back their initial collateral. Additionally, if they do not settle on time, they will lose all their initial collateral, forcing the `owner` to come in and perform the settlement and retrieving that collateral. This is noted as a design decision [here](https://tadle.gitbook.io/tadle/how-tadle-works/features-and-terminologies/settlement-and-collateral-rate) If all else fails, the `owner` can come in to settle as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L254-L256) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L365-L367) offers to allow closing offers and subsequently allowing refunds. I acknowledge that perhaps a more decentralized

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.