Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`authorityReferralBonus` is transferred to `msg.sender` incorrectly.

kupiasec

Github link

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L883

Summary

authorityReferralBonus is for makers who has provided collateral and takers provides it.
But this bonus is transferred to takers again.

Vulnerability Details

In the PreMarkets._updateReferralBonus function, authorityReferralBonus is transferred to msg.sender from L883.

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L883

tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
L883: _msgSender(),
makerInfo.tokenAddress,
authorityReferralBonus
);

This function is called in PreMarkets.createTaker, and msg.sender is taker.
authorityReferralBonus is calculated from platformFee and platformFee is provided from taker.
As a result, instead of maker, taker receives the authorityReferralBonus.

Impact

This leads the loss of funds for makers.

Tools Used

Manual Review

Recommendations

It is recommended to change the code as following:

tokenManager.addTokenBalance(
TokenBalanceType.ReferralBonus,
- _msgSender(),
- stockInfoMap[stockAddr].preOffer.authority,
makerInfo.tokenAddress,
authorityReferralBonus
);
Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.