Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`DeliveryPlace::settleAskTaker` allocates the `settledPointTokenAmount` for the maker (i.e., offer's authority) in collateral token address instead of point token address

shikhar229169

Summary

The settleAskTaker is performs the task to transfer the PointToken from the taker (stock's authority) to the capital pool and allocate them to the offer's direct maker (authority) via the addTokenBalance for them for that PointToken.
But while calling the addTokenBalance it passes incorrect parameter for token address, instead of passing the point token address, it passes the collateral token address as a result of which the offer's authority will not be able to withdraw their point token, instead they are given the access to withdraw the collateral token with amount being settledPointTokenAmount and the point token sent to capital pool remains unallocated.

Vulnerability Details

The vulnerability is present in the settleAskTaker where it passes incorrect address for point token for allocating it to the offer's authority after transferring it to the capital pool from the taker.

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

@> makerInfo.tokenAddress, // @audit should be marketPlaceInfo.tokenAddress

settledPointTokenAmount

);

}

Here, makerInfo.tokenAddress represents the collateral token address where it is used as collateral and performing exchange for point token, and marketPlaceInfo.tokenAddress represents the point token address.
Thus, incorrect address is allocated for the point token address, which results in offer's authority to not able to withdraw their point token, instead gets access to collateral token.

Impact

The addTokenBalance function is expected to allocate the settledPointTokenAmount to offer authority for point token address on the TokenManager but instead it does it in collateral token, which makes the offer authority to not able to withdraw point token and it remains unallocated in CapitalPool.
And the accounting for makerInfo.tokenAddress gets disturbed as the offer's authority would be able to withdraw it causing incorrect accounting in CapitalPool, leading to someone not be able to withdraw it due to excess withdrawal caused by incorrect allocation in settleAskTaker function.

Tools Used

Manual Review

Recommendations

Instead of using makerInfo.tokenAddress, update it to marketPlaceInfo.tokenAddress while calling addTokenBalance to allocate point tokens to offer's authority.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.