Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The protocol never updated `OfferStatus`, and consequently implements wrong `OfferStatus` check.

amaron

Summary

the OfferStats enum:

/**
* @dev Offer status
* @notice Unknown, Virgin, Ongoing, Canceled, Filled, Settling, Settled
* @param Unknown offer not yet exist.
* @param Virgin offer has been listed, but not one trade.
* @param Ongoing offer has been listed, and already one trade.
* @param Canceled offer has been canceled.
* @param Filled offer has been filled.
* @param Settling offer is settling.
* @param Settled offer has been settled, the last status.
*/
enum OfferStatus {
Unknown,
Virgin,
Ongoing,
Canceled,
Filled,
Settling,
Settled
}

was not updated, and therefore the whole protocol implements wrong OfferStatus validation.

Vulnerability Details

an example of the wrong OfferStatus validation can be seen in PreMarkets::createTaker, where the function includes the following requirement:

if (offerInfo.offerStatus != OfferStatus.Virgin) {
//@audit - medium. wrong validation || OfferStatus.Ongoing
revert InvalidOfferStatus();
}

whereas if another user have already called this function, the OfferStatus should be Ongoing, and as long as it is not Filled and there are more points to be purchased, it should pass the check.

Impact

An incorrect implementation of OfferStatus updates and its requirements could lead to inconsistencies and serious issues within the protocol.

Tools Used

manual review

Recommendations

update the OfferStatus correctly, and implement proper checks on the status in the different functions.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-createTaker-Ongoing-Status

The reason for severity for this issue and duplicates are very similar to issue #1164. However, in this case, the issues correctly identified that offer statuses should be updated accordingly based on points transaction (partially filled orders = `Ongoing`, fully filled orders = `Filled`). There is currently no impact on the tadle system since the above two statuses are unused, and while sementically `Virgin` status is not the correct status representing whether taker orders can be created agains maker offers, it can still be performed without a DoS. However, if we are basing it off of the correct status implementation (i.e. `Ongoing` phase appropriately updated when takers create taker offers), then the DoS will occur, essentially blocking any taker offers from being created by subsequent takers for partially filled orders. All issues that does not mention the DoS impact will be low severity, since they still correctly highlighted the wrong status accounting. All issues that mention the possible bypass of `Virgin` status is incorrect, because the usedPoint checks will always ensure points are filled only up to the points posted for offer as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L180-L186). Note for downgrade to low severity: Agree with appeals and low severity, this is more of a status accounting error and does not have any impact, since the statuses consistently do not utilize a switch from Vigin to Ongoing/Filled and the protocol can function appropriately even without the use of such statuses (presuming other bugs are fixed), the DoS impact will not occur.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.