A call the TokenManager::updateTokenWhiteListed function can break offers from marketplaces that have *unwhitelisted* token addresseses
Summary
Offers whose token addresses have been unwhitelisted can no longer be completely fulfilled.
Vulnerability Details
Both the DeliveryPlace::settleAskTaker and DeliveryPlace::settleAskMaker functions call the TokenManager::tillIn function by providing the tokenAddress of the appropriate marketplace.
The TokenManager::updateTokenWhiteListed function allows to update the token white list, helping then unwhitelisting a token.
The issue here is that when unwhitelisting a token, the TokenManager::updateTokenWhiteListed function does not take into account that there might exist offers in a marketplace that uses the token to be unwhitelisted.
Impact
Offers created may not be completely fulfilled.
Tools Used
Manual review.
Recommendations
Prevent disabling tokens that have been used for offers settlement.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.