Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Malicious user could steal maker's profit from trading taxes

ge6a

Summary

Tadle has a mechanism that incentivize makers to deposit collateral into the protocol—so-called trade taxes. These are fees defined by the maker as a percentage of the taker's deposit and are paid to the maker by every taker, whether at the first level (matched with the original offer) or at a higher level where it is matched with an offer created from points already purchased from the original offer. This way, the primary makers earn from every trade that originates from their points. The problem is that this mechanism can be bypassed by a malicious user who can purchase points once and pay the trade tax, but later start receiving trade taxes from higher levels to their balance. This deprives the original maker of the guaranteed profit provided by the protocol.

Vulnerability Details

This is done by the taker using the createOffer() function instead of the list function to create a new ask offer. The createOffer() function has no access control or other mechanism to prevent this. Additionally, by doing this, the user can set a new trade tax and collateral rate, as well as any of the other parameters in CreateOfferParams. From this moment onward, the malicious user will be able to receive the profits from trade taxes instead of the original maker (especially if they have purchased all the points).

When the market moves to the AskSettling status, the user can wait for the initial maker to settle their offer, withdraw the received points tokens, and use them to settle their own offer created with createOffer. In this way, the malicious user can steal trade taxes from the original maker.

I am attaching a fragment from the Tadle documentation that describes the expected behavior of this functionality.

To incentivize liquidity, Tadle rewards market makers with a maker bonus revenue on the transactions they bring to the marketplace.

This bonus is calculated as a percentage of all subsequent transactions, including the points and trading volume, brought to Tadle. This incentive mechanism is introduced to encourage more points liquidity provision.

Market makers can set a dynamic percentage of maker bonus fees they want to earn.

https://tadle.gitbook.io/tadle/how-tadle-works/features-and-terminologies/maker-bonus

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L39-L157

Impact

Loss of funds for the original maker from the trading taxes which are promised in the protocol's documentation.

Tools Used

Manual review

Recommendations

My advice is to add better access control to the createOffer function which prevent such flows and guarantee maker's profit.

Updates

Lead Judging Commences

0xnevi Lead Judge

11 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

ge6a Submitter

10 months ago

0xnevi Lead Judge

10 months ago

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.