Tadle

Summary:

The createOffer function in the PreMarktes contract is susceptible to a reentrancy attack due to external calls and subsequent state variable updates. This vulnerability arises because the function makes an external call to the tokenManager contract and then updates the state variables. The vulnerability is exacerbated by the potential for cross-function reentrancy, which allows attackers to exploit the state variables in various functions across the contract.

Vulnerability Details:

Location: PreMarktes.createOffer(CreateOfferParams) (src/core/PreMarkets.sol#39-157)
External Calls:
tokenManager.tillIn{value: msg.value}(_msgSender(), params.tokenAddress, transferAmount, false) (src/core/PreMarkets.sol#96-101)
State Variables Written After External Calls:
makerInfoMap[makerAddr] is updated (src/core/PreMarkets.sol#105-113)
offerInfoMap[offerAddr] is updated (src/core/PreMarkets.sol#116-131)
stockInfoMap[stockAddr] is updated (src/core/PreMarkets.sol#134-146)
Cross-Function Reentrancy:
PerMarketsStorage.makerInfoMap is used in the following functions:
PreMarktes.abortAskOffer(address,address) (src/core/PreMarkets.sol#536-635)
PreMarktes.abortBidTaker(address,address) (src/core/PreMarkets.sol#645-697)
PreMarktes.closeOffer(address,address) (src/core/PreMarkets.sol#406-460)
PreMarktes.createTaker(address,uint256) (src/core/PreMarkets.sol#164-284)
PreMarktes.getMakerInfo(address) (src/core/PreMarkets.sol#807-811)
PreMarktes.listOffer(address,uint256,uint256) (src/core/PreMarkets.sol#295-396)
PreMarktes.relistOffer(address,address) (src/core/PreMarkets.sol#470-526)
PerMarketsStorage.offerInfoMap is used in:
PreMarktes.abortAskOffer(address,address) (src/core/PreMarkets.sol#536-635)
PreMarktes.abortBidTaker(address,address) (src/core/PreMarkets.sol#645-697)
PreMarktes.closeOffer(address,address) (src/core/PreMarkets.sol#406-460)
PreMarktes.createTaker(address,uint256) (src/core/PreMarkets.sol#164-284)
PreMarktes.getOfferInfo(address) (src/core/PreMarkets.sol#787-791)
PreMarktes.listOffer(address,uint256,uint256) (src/core/PreMarkets.sol#295-396)
PreMarktes.settleAskTaker(address,address,uint256,uint256) (src/core/PreMarkets.sol#759-781)
PreMarktes.settledAskOffer(address,uint256,uint256) (src/core/PreMarkets.sol#738-749)
PreMarktes.updateOfferStatus(address,OfferStatus) (src/core/PreMarkets.sol#705-713)
PerMarketsStorage.stockInfoMap is used in:
PreMarktes.abortAskOffer(address,address) (src/core/PreMarkets.sol#536-635)
PreMarktes.abortBidTaker(address,address) (src/core/PreMarkets.sol#645-697)
PreMarktes.closeOffer(address,address) (src/core/PreMarkets.sol#406-460)
PreMarktes.createTaker(address,uint256) (src/core/PreMarkets.sol#164-284)
PreMarktes.getStockInfo(address) (src/core/PreMarkets.sol#797-801)
PreMarktes.listOffer(address,uint256,uint256) (src/core/PreMarkets.sol#295-396)
PreMarktes.relistOffer(address,address) (src/core/PreMarkets.sol#470-526)
PreMarktes.settleAskTaker(address,address,uint256,uint256) (src/core/PreMarkets.sol#759-781)
PreMarktes.updateStockStatus(address,StockStatus) (src/core/PreMarkets.sol#721-729)

Impact:

An attacker could exploit this vulnerability to perform reentrancy attacks, leading to:

Unauthorized Manipulation of State Variables: By exploiting the reentrancy, an attacker could manipulate critical state variables such as makerInfoMap, offerInfoMap, and stockInfoMap across multiple functions.
Loss of Funds: The attacker could potentially drain funds if the external call involves transferring ETH or tokens.

Tools Used:

Slither

Recommendations:

Use the Checks-Effects-Interactions Pattern: Ensure all state changes are made before calling external contracts. For example, update makerInfoMap, offerInfoMap, and stockInfoMap before making any external calls.
Use Reentrancy Guard: Implement a reentrancy guard modifier to prevent reentrancy attacks. The ReentrancyGuard contract from OpenZeppelin can be used for this purpose.