Tadle

Summary

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L62-L68

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L154-L160

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L277-L299

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L392-L398

The DeliveryPlace contract does not handle changes in the collateral rate after the creation of offers or stocks, leading to potential miscalculations in refund amounts and collateral fees. This vulnerability can result in significant financial discrepancies and exploitation.

Vulnerability Details

The contract uses collateralRate in several functions to calculate refund amounts and collateral fees. If the collateral rate changes after an offer or stock is created, these calculations will be incorrect.

closeBidOffer Function

The closeBidOffer function calculates the refund amount using the collateral rate stored in the offerInfo structure. If the collateral rate changes after the offer is created, the refund calculation will be incorrect.

closeBidTaker Function

The closeBidTaker function calculates the collateral fee using the collateral rate stored in the offerInfo structure. Similar to the closeBidOffer function, if the collateral rate changes after the offer is created, the collateral fee calculation will be incorrect.

PoC

detailed step-by-step exploit scenario

Initial State

• Collateral Rate: Initially set to 10%.

• Offer: An offer is created with an amount of 1000 tokens and 100 points.

• Collateral: Calculated as 100 tokens (10% of 1000 tokens)

Step 1: Offer Creation

• Action: An attacker creates an offer with the following parameters:

  • Amount: 1000 tokens

  • Points: 100 points

  • Collateral Rate: 10%

• Calculation:

  • Collateral: 100 tokens (10% of 1000 tokens)

  • The offer is created and stored with these values.

Step 2: Collateral Rate Change

• Action: The collateral rate is changed to 20% due to an external event or administrative action.

• Impact: The new collateral rate is now 20%, but the offer still holds the old collateral rate of 10%.

Step 3: Closing the Offer

• Action: The attacker closes the offer using the closeBidOffer function.

• Calculation:

  • The function calculates the refund amount based on the initial collateral rate of 10%.

  • Refund Amount: OfferLibraries.getRefundAmount is called with the old collateral rate of 10%.

Step 4: Exploiting the Discrepancy

• Calculation:

  • Initial Collateral: 100 tokens (10% of 1000 tokens)

  • New Collateral Rate: 20%

  • Refund Amount Calculation:

    uint256 refundAmount = OfferLibraries.getRefundAmount(

    offerInfo.offerType,

    offerInfo.amount,

    offerInfo.points,

    offerInfo.usedPoints,

    offerInfo.collateralRate // This still uses the old rate of 10%

    );

    ​

  • Since the collateral rate used for the refund calculation is still 10%, the refund amount will be based on 100 tokens instead of the updated 200 tokens.

Outcome

• Result: The attacker receives a refund based on the outdated collateral rate of 10%, resulting in an incorrect refund amount.

• Refund Amount: 100 tokens (instead of the correct amount based on the new 20% rate, which would be 200 tokens)).

  Implications

• The protocol will refund incorrect amounts, leading to financial discrepancies/.

• Users may receive more or less than they are entitled to, causing potential financial loss.

• leading to potential operational disruptions and loss of user trust.

Impact

• The protocol will refund incorrect amounts, leading to financial discrepancies.

• Users may receive more or less than they are entitled to, causing potential financial loss and trust issues.

Tools Used

manual code review, vscode, solidity, foundry, solodit

Recommendations

• Ensure that the collateral rate is dynamically fetched and used in calculations at the time of function execution, rather than relying on stored values.

• Implement mechanisms to update the collateral rate in existing offers and stocks whenever the global collateral rate changes.