Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The `PreMarkets.abortBidTaker` function does not check `MarketPlaceStatus.Online`.

kupiasec

Github link

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L645-L697

Summary

stockInfo.authority can abort bid taker order while the marketPlaceInfo is not MarketPlaceStatus.Online status

Vulnerability Details

The abortBidTaker function should be called only while the marketPlaceInfo is MarketPlaceStatus.Online status.
But, it does not check this status.

Impact

This breaks the restriction of MarketPlaceStatus.Online status.

Tools Used

Manual Review

Recommendations

It is recommended to change the code as following:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L670

if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {
revert InvalidAbortOfferStatus(
AbortOfferStatus.Aborted,
preOfferInfo.abortOfferStatus
);
}
+ /// @dev market place must be online
+ ISystemConfig systemConfig = tadleFactory.getSystemConfig();
+ MarketPlaceInfo memory marketPlaceInfo = systemConfig
+ .getMarketPlaceInfo(makerInfo.marketPlace);
+ marketPlaceInfo.checkMarketPlaceStatus(
+ block.timestamp,
+ MarketPlaceStatus.Online
);
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] finding-PreMarkets-abortBidTaker-lack-check-abort

Informational, during emergencies, even if abortions are allowed, withdrawal can be paused and collateral cannot be pulled anyways (`whenNotPaused` modifier within `withdraw()`), so there is no impact here, given funds outflow can be paused.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.