settleAskTaker credit with the wrong token and the wrong person
Summary
When an ask taker settle his taker offer the function settleAskTaker (L-335) will credit the maker of the collateralFee and the taker with the points. But the function credit the authority of the offer with the points amount with the wrong token.
Vulnerability Details
when the maker call settleAskTaker he will send a settled points amount as we can see here (L-376):
The problem is that just after that we credit the authority of the offer with the same amount and with the collateral token address as we can see here :
This is totally wrong because the address of the token is wrong it should be the market place token.
Impact
The user wil be credited with a possible huge amount.
Tools Used
Echidna
Recommendations
Make these changes to the settle ask taker function :
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.