Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

ID clashes

_frolic

Summary

Clashing of Id's of stocks and offers.

Vulnerability Details

The offerIdvariable which is used to assign Ids and generate addresses for stocks and offers is not incremented correctly.

Impact

This results in stocks and offers that have the same id's.

POC

function test_duplicate_id() public {
vm.startPrank(user);
preMarktes.createOffer(
CreateOfferParams(
marketPlace,
address(mockUSDCToken),
1000,
0.01 * 1e18,
12000,
300,
OfferType.Ask,
OfferSettleType.Turbo
)
);
vm.stopPrank();
address offerAddr = GenerateAddress.generateOfferAddress(0);
address stockAddr = GenerateAddress.generateStockAddress(0);
vm.startPrank(user2);
preMarktes.createTaker(offerAddr, 500);
address stock1Addr = GenerateAddress.generateStockAddress(1);
preMarktes.listOffer(stock1Addr, 0.006 * 1e18, 12000);
vm.startPrank(user);
address offer1Addr = GenerateAddress.generateOfferAddress(1);
assertEq(preMarktes.getStockInfo(stockAddr).id, preMarktes.getStockInfo(stock1Addr).id);
assertEq(preMarktes.getOfferInfo(offerAddr).id, preMarktes.getOfferInfo(offer1Addr).id);
}

Tools Used

Manual Analysis

Recommendations

Increment the offerId properly.

Updates

Lead Judging Commences

0xnevi Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-createOffer-offerId-increment-after

I believe this is valid low severity, although there is inconsistency here when using the correct `offerId` for assigning offerIds and generating the unique addresses as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L67-L69), this is purely an accounting error for offerIds. If we generate the offerId using current `offerId - 1`, the appropriate listing/taker orders can still be created against those offers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.