In DeliveryPlace::settleAskTaker, the authorized user is wrongly set to offerInfo.authority
Summary
DeliveryPlace::settleAskTaker settles a taker's order when the taker (stock owner) has filled a bid offer. The taker deposits pointToken as part of the trade settlement. Later, those pointToken are added to the balance of the offer owner.
Vulnerability Details
The issue is that this function is authorized to be called by the offer owner instead of the stock owner:
Impact
If the stock owner is not allowed to call this function, this order cannot be settled. If the offer owner calls it instead, he would be required to deposit some pointToken when he should be the one receiving it.
Tools Used
Manual review
Recommendations
Authorize the stock owner to call this function:
Lead Judging Commences
finding-PreMarkets-settleAskTaker-wrong-stock-authority
Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.