Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

there is no way of getting point tokens in `closeBidTaker()`

avci

Summary

the closeBidTaker() and settleAskTaker() wrongly sets makerInfo.tokenAddress (collateral token) instead of marketPlaceInfo.tokenAddress (point token)

Vulnerability Details

in the contract Deliveryplace.sol the closeBidTaker() function adds the colaterall token instead of point token

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

makerInfo.tokenAddress,

pointTokenAmount

);

as you know the makerinfo.tokenAddress is collateral token address, which is given in create offer by offer creator but the marketPlaceInfo.tokenAddress is address of point token which should be set instead of makerinfo.tokenAddress for adding balance of point token

POC

add this poc to PreMarkets.t.sol contract
run with forge test --mt test_wrong_PointToken_poc -vvv

function test_wrong_PointToken_poc() public {

deal(address(mockPointToken), user, 10e18);

deal(address(mockUSDCToken), user, 10e6);

deal(address(mockUSDCToken), user1, 10.35 * 1e6);

deal(address(mockUSDCToken), address(capitalPool), 1000e6);

console2.log("user USDC token before createOffer():", mockUSDCToken.balanceOf(user));

vm.startPrank(user);

preMarktes.createOffer(

CreateOfferParams(

marketPlace,

address(mockUSDCToken),

10,

10e6,

10000,

300,

OfferType.Ask,

OfferSettleType.Turbo

)

);

vm.stopPrank();

console2.log("user USDC token after createOffer():", mockUSDCToken.balanceOf(user));

vm.startPrank(user1);

console2.log("user1 USDC token before createTaker():", mockUSDCToken.balanceOf(user1));

mockUSDCToken.approve(address(tokenManager), 10.35 * 1e6);

address offerAddr = GenerateAddress.generateOfferAddress(0);

preMarktes.createTaker(offerAddr, 10);

console2.log("user1 USDC token after createTaker():", mockUSDCToken.balanceOf(user1));

address stock1Addr = GenerateAddress.generateStockAddress(1);

vm.stopPrank();

//update market

vm.prank(user1);

systemConfig.updateMarket(

"Backpack",

address(mockPointToken),

1 * 1e18,

block.timestamp + 1 days,

2 days

);

vm.warp(block.timestamp + 3 days);

vm.startPrank(user);

mockPointToken.approve(address(tokenManager), 10e18);

deliveryPlace.settleAskMaker(offerAddr, 10);

vm.stopPrank();

vm.startPrank(user1);

deliveryPlace.closeBidTaker(stock1Addr);

console2.log("=================================================================");

// we can see that withdraw function doesnt withdraw point tokens

console2.log("user1 before withdraw point tokens:", mockPointToken.balanceOf(user1));

capitalPool.approve(address(mockPointToken));

tokenManager.withdraw(address(mockPointToken), TokenBalanceType.PointToken);

console2.log("user1 after withdraw point tokens:", mockPointToken.balanceOf(user1));

vm.stopPrank();

console2.log("=================================================================");

vm.startPrank(user);

console2.log("user before withdraw USDC tokens:", mockUSDCToken.balanceOf(user));

capitalPool.approve(address(mockUSDCToken));

tokenManager.withdraw(address(mockUSDCToken), TokenBalanceType.SalesRevenue);

console2.log("user after withdraw USDC tokens:", mockUSDCToken.balanceOf(user));

vm.stopPrank();

}

Impact

user will not receive point tokens causing loss of point tokens for user

Tools Used

vs code / manually

Recommendations

consider changing the makerinfo.tokenAddress to actual point token address which is marketPlaceInfo.tokenAddress

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

- makerinfo.tokenAddress

+ marketPlaceInfo.tokenAddress,

pointTokenAmount

);

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.