The `DeliveryPlace.closeBidTaker` and `DeliveryPlace.settleAskTaker` functions adds `makerInfo.tokenAddress` tokens instead of `marketPlaceInfo.tokenAddress` tokens.
Github link
Summary
The DeliveryPlace.closeBidTaker and DeliveryPlace.settleAskTaker functions add makerInfo.tokenAddress tokens, and makerInfo.tokenAddress is not point token.
As a result, in the DeliveryPlace.closeBidTaker, stockInfo.authority does not receive point token.
And in the DeliveryPlace.settleAskTaker, offerInfo.authority does not receive point token.
Vulnerability Details
The DeliveryPlace.closeBidTaker function adds the pointTokenAmount tokens to stockInfo.authority, but added token is makerInfo.tokenAddress tokens, not point token from L198.
The DeliveryPlace.settleAskTaker function adds the settledPointTokenAmount tokens to offerInfo.authority, but added token is makerInfo.tokenAddress tokens, not point token from L387.
Impact
stockInfo.authority receives makerInfo.tokenAddress tokens instead of point tokens in the DeliveryPlace.closeBidTaker.
offerInfo.authority receives makerInfo.tokenAddress tokens instead of point tokens in the DeliveryPlace.settleAskTaker.
Tools Used
Manual Review
Recommendations
It is recommended to change the code as following:
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.