Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The attacker can reduce the refund obtained by the executor of abortAskOffer.

p0wd3r

Summary

The attacker can reduce the refund obtained by the executor of abortAskOffer.

abortAskOffer is missing slippage control parameters, attackers can employ a sandwich-attack-like approach, executing createTaker before the user's abortAskOffer and abortBidTaker after, thereby causing the caller of abortAskOffer to incur asset losses at low cost.

Vulnerability Details

In abortAskOffer, If points have been sold , the fund that the seller can recover will be reduced.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L595-L621

uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
remainingAmount,
true,
Math.Rounding.Floor
);
uint256 totalUsedAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Ceil
);
uint256 totalDepositAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
totalUsedAmount,
false,
Math.Rounding.Ceil
);
///@dev update refund amount for offer authority
uint256 makerRefundAmount;
if (transferAmount > totalDepositAmount) {
makerRefundAmount = transferAmount - totalDepositAmount;
} else {
makerRefundAmount = 0;
}

In abortBidTaker, the buyer can receive a refund from the collateral based on the purchased amount.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L671-L683

uint256 depositAmount = stockInfo.points.mulDiv(
preOfferInfo.points,
preOfferInfo.amount,
Math.Rounding.Floor
);
uint256 transferAmount = OfferLibraries.getDepositAmount(
preOfferInfo.offerType,
preOfferInfo.collateralRate,
depositAmount,
false,
Math.Rounding.Floor
);

abortBidTaker can only be executed after abortAskOffer.

if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {
revert InvalidAbortOfferStatus(
AbortOfferStatus.Aborted,
preOfferInfo.abortOfferStatus
);
}

This will lead to the following scenario:

  1. Assuming the collateralRate is 100%.

  2. Alice, as the seller, deposits 100 tokens to sell 100 points.

  3. No one buys them, and Alice wants to settle this offer early, so she executes abortAskOffer.

  4. Bob monitors Alice's request and then front run createTaker to buy Alice's 100 points in this block before Alice's abortAskOffer.

  5. Alice's abortAskOffer executes, and since all points are sold, Alice will not get a refund.

  6. Bob immediately executes abortBidTaker to get a refund after abortAskOffer.

  7. In the end, Bob uses a kind of sandwich attack to make Alice lose her assets.

Impact

The attacker can reduce the refund obtained by the executor of abortAskOffer.

Tools Used

vscode

Recommendations

Add expectedRefundAmount to abortAskOffer, If the expected quantity is not met, it will revert. In this way, if abortAskOffer reverts, the attacker will not be able to execute abortBidTaker to recover the attack cost.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

p0wd3r Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!