Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The users can double their maker refund withdrawal amount

gkrastenov
## Summary
The users can double their maker refund withdrawal amount.
## Vulnerability Details
The users can double their maker refund withdrawal amount.
Attack Vector:
1. The user creates an offer and deposits 1 ETH into the capital pool.
2. The user cancels his offer, allowing them to withdraw 1 ETH, as `offerStatus = Canceled`.
```solidity
offerInfo.offerStatus = OfferStatus.Canceled;
```
3. The user re-lists the offer and changes the `offerStatus` from `Canceled` to `Virgin`.
```solidity
offerInfo.offerStatus = OfferStatus.Virgin;
```
4. The user calls the `abortAskOffer` function. Since` remainingAmount = offerInfo.amount` and `usedPoints = 0`, the `totalDepositAmount = 0`, making `transferAmount > totalDepositAmount` true.
5. In the `TokenManager`, for the `MakerRefund` type, the `remainingAmount = offerInfo.amount` is added, allowing the user to double their withdrawal amount and withdraw more tokens than they deserve.
This attack scenario can also be exploited with ERC20 tokens.
## Impact
Funds from the contract can be drained.
## Tools Used
Manual Review
## Recommendations
When the user re-lists their offer, subtract the remaining amount from the `userTokenBalanceMap` in the `TokenManager` contract.
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.