Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

nchecked Offer Status and Stock Type in abortBidTaker Function Leading to Unauthorized Abortion of Taker Positions or possibly drainage of funds

waydou

Summary

The abortBidTaker function is designed to allow the offer owner to abort a bid taker under certain conditions. However, the function contains critical vulnerabilities due to missing checks. Specifically, it does not verify the stock type to ensure it is associated with a bid, nor does it check the status of the associated offer. These omissions allow the function to be executed even when the offer is canceled or unrelated to a bid, leading to severe disruptions in the market.

Vulnerability Details

The abortBidTaker function is intended to be used specifically for aborting a taker position in the context of bids. However, two significant checks are missing from the function:

Stock Type Validation: The function does not verify whether the provided stock address is associated with a bid. Without this check, the function can be called on any stock, regardless of its type, potentially leading to the incorrect application of bid-specific logic.

Offer Status Validation: The function also fails to check the status of the associated offer. This means that even if an offer has been canceled, the function can still be called, leading to the inappropriate execution of the abort logic.

Impact

Malicious users could exploit this vulnerability to target specific offers, causing them to be aborted even when they should remain active. This could lead to significant market manipulation, where certain offers are unfairly terminated or manipulated.
If the function is called on canceled offers or non-bid-related stocks, it could lead to premature refunds or the release of collateral. This can result in financial losses for participants who rely on the proper functioning of the bid and offer processes.

Tools Used

Manual Review

Recommendations

Fix the code:

function abortBidTaker(address _stock, address _offer) external {
StockInfo storage stockInfo = stockInfoMap[_stock];
OfferInfo storage preOfferInfo = offerInfoMap[_offer];
if (stockInfo.authority != _msgSender()) {
revert Errors.Unauthorized();
}
if (stockInfo.preOffer != _offer) {
revert InvalidOfferAccount(stockInfo.preOffer, _offer);
}
if (stockInfo.stockStatus != StockStatus.Initialized) {
revert InvalidStockStatus(
StockStatus.Initialized,
stockInfo.stockStatus
);
}
if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {
revert InvalidAbortOfferStatus(
AbortOfferStatus.Aborted,
preOfferInfo.abortOfferStatus
);
}
+ if (stockInfo.stockType == StockType.Bid) {
+ revert InvalidStockType();
+ }
+ if (
+ offerInfo.offerStatus != OfferStatus.Virgin &&
+ offerInfo.offerStatus != OfferStatus.Canceled
+ ) {
+ revert InvalidOfferStatus();
+ }
```
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-abortBidTaker-lack-check-Bid-Type

Low severity, the check is indeed missing for `abortBidTaker`, however, this would be contingent on user error and the funds are not locked, given admin can rescue them via `Rescuable.sol`

finding-Premarkets-listOffer-lack-check-abort-relist

Leaving high severity for now but will leave open for appeals. Technically, users can choose not to transact this type offers if they are aware of such undercollaterized relisted offers, in which case it will have no impact. However, if subsequent takers transact this relisted offers, this can allow profits without having to settle any points.

Appeal created

0xnevi Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-abortBidTaker-lack-check-Bid-Type

Low severity, the check is indeed missing for `abortBidTaker`, however, this would be contingent on user error and the funds are not locked, given admin can rescue them via `Rescuable.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.