wrong acces control for the settleAskTaker function
Summary
The function settleAskTaker(335) in the deliveryPlace is only callable by the owner of the contract of the authority of the offer which make no sense since it should be the taker that settle this and pay the points.
Vulnerability Details
the function is only callable by the authority offer as we can see here(L-360) :
However according to the comments of the function and the documentation the caller should be the stock authority
Impact
it will be impossible to settle an ask taker.
Tools Used
Manual Review
Recommendations
Change the block of code to correspond to the documentation :
Lead Judging Commences
finding-PreMarkets-settleAskTaker-wrong-stock-authority
Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.