Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`CloseBidTaker` function in DeliveryPlace contract credits collateral token not point token.

0x1912

Summary

The closeBidTaker function performs the following:

Retrieves information for the relevant stock and pre-offer.
Checks if the stock is of type Bid, and if the caller is the stock authority.
Calculates the user's collateral fee and point token amount based on remaining points and settled amounts.
Updates the stock status to Finished.
Emits the CloseBidTaker event.

Vulnerability Details

closeBidTakerfunction should credit point token to the stock owner based on remaining points and settled amounts.

function closeBidTaker(address _stock) external {

__SNIP__

uint256 pointTokenAmount = offerInfo.settledPointTokenAmount.mulDiv(

userRemainingPoints,

offerInfo.usedPoints,

Math.Rounding.Floor

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

@> makerInfo.tokenAddress,

pointTokenAmount

);

__SNIP__

}

As we can see in above code, pointToken credited as the balance of collateral token contract.

So after this transaction, user can withdraw collateral token instead of pointToken, so user can't receive point token at all.

Impact

It makes protocol useless and breaks protocol, because accounting system is not working in correctly.

Due to this, user can't get point token and collateral token can be at risk, breaking protocol running.

Tools Used

Manual review

Recommendations

function closeBidTaker(address _stock) external {

(

OfferInfo memory preOfferInfo,

MakerInfo memory makerInfo,

- ,

+ MarketPlaceInfo memory marketInfo,

) = getOfferInfo(stockInfo.preOffer);

__SNIP__

uint256 pointTokenAmount = offerInfo.settledPointTokenAmount.mulDiv(

userRemainingPoints,

offerInfo.usedPoints,

Math.Rounding.Floor

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

- makerInfo.tokenAddress,

+ marketInfo.tokenAddress,

pointTokenAmount

);

__SNIP__

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.