If malicious attackers buy the small points from ask offer and sell this bid taker, aborting will be DoS
Github link
Summary
If the originOfferInfo.abortOfferStatus is SubOfferListed, inherited ask offers and bid takers can not be aborted.
If malicious attackers buy the small points from ask offer and sell this bid taker, aborting will be DoS
Vulnerability Details
If the offer is listed, originOfferInfo.abortOfferStatus is set as SubOfferListed from L342.
The PreMarkets.abortAskOffer function checks offerInfo.abortOfferStatus == AbortOfferStatus.Initialized.
As a result, if origin offer is sub listed, it can not be aborted.
The PreMarkets.abortBidTaker function checks preOfferInfo.abortOfferStatus == AbortOfferStatus.Aborted.
As a result, bid takers inherited from sublisted offer can not be aborted.
Impact
Malicious attackers can make the aborting ask offers and bid takers be Dos by buying the small points from ask offer and selling this bid taker.
Tools Used
Manual Review
Recommendations
It is recommended to redesign the SubOfferListed mechanism.
When the offer is listed, don't set originOfferInfo.abortOfferStatus as SubOfferListed.
Lead Judging Commences
[invalid] finding-PreMarkets-abortAskOffer-revert-SubOfferListed
This findings hinges on the fix to #1616. Since it DoSes abortAskOffer that should be allowed, medium severity seems appropriate. Note for invalidation: This highlights a potential inconsistency that sellers should be able to cancel their orders at any time if they are not fulfilled and retrieve their collateral as noted in the [doc](https://tadle.gitbook.io/tadle/product/points-marketplace#how-tadle-unlock-points-liquidity-on-our-marketplace). However, not how it mentions `if applicable` . > Upon completing the trade, the seller will receive the funds instantly, without having to wait for the token unlock at TGE. Sellers can cancel their orders at any time if they are not fulfilled and retrieve their collateral, if applicable. So one can interpret it as once a bid taker offer is created against an orign maker ask offer, the revenue earned represented by SalesRevenue (see issue #826 and #765 for more indepth explanation) is assigned to the origin maker that can be withdrawed immediately (meaning order is already fulfilled). So arguably, in turbo mode, once an sub offer is listed, it is an acceptable design decision to disallow termination even if the suboffer is not settled, given taker should be the rightful holder of the 100 points (per the PoC) i.e. the maker should settle, if not they can walk away with the collateral paid by taker FOC. I believe this issue is invalid
Appeal created
[invalid] finding-PreMarkets-abortAskOffer-revert-SubOfferListed
This findings hinges on the fix to #1616. Since it DoSes abortAskOffer that should be allowed, medium severity seems appropriate. Note for invalidation: This highlights a potential inconsistency that sellers should be able to cancel their orders at any time if they are not fulfilled and retrieve their collateral as noted in the [doc](https://tadle.gitbook.io/tadle/product/points-marketplace#how-tadle-unlock-points-liquidity-on-our-marketplace). However, not how it mentions `if applicable` . > Upon completing the trade, the seller will receive the funds instantly, without having to wait for the token unlock at TGE. Sellers can cancel their orders at any time if they are not fulfilled and retrieve their collateral, if applicable. So one can interpret it as once a bid taker offer is created against an orign maker ask offer, the revenue earned represented by SalesRevenue (see issue #826 and #765 for more indepth explanation) is assigned to the origin maker that can be withdrawed immediately (meaning order is already fulfilled). So arguably, in turbo mode, once an sub offer is listed, it is an acceptable design decision to disallow termination even if the suboffer is not settled, given taker should be the rightful holder of the 100 points (per the PoC) i.e. the maker should settle, if not they can walk away with the collateral paid by taker FOC. I believe this issue is invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.