Incorrect calculation of collateral amount in the `PreMarkets.listOffer` function.
Github link
Summary
The PreMarkets.listOffer function incorrectly calculates transferAmount using offerInfo.collateralRate instead of using _collateralRate.
Vulnerability Details
When offer settle type is protected, stockInfo.authority deposits collateral from L356.
The PreMarkets.listOffer function has _collateralRate argument and collateralRate of the new ask offer is setted as this argument.
This means that stockInfo.authority should deposit amount of collateral calculated using _collateralRate.
But, from L349, the amount of collateral is calculated incorrectly using offerInfo.collateralRate, instead of _collateralRate .
Impact
In protected mode, deposited amount of collateral of listed offer and information stored in the offerInfoMap variable of the listed offer are different.
The protocol introduces protected mode to enhance buyer assurance and reduce default risks.
But, this is broken by the difference.
Tools Used
Manual Review
Recommendations
It is recommended to change the code as following:
Lead Judging Commences
finding-PreMarkets-listOffer-collateralRate-manipulate
Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.