There can be loss of funds for the buyer in case of turbo mode without any loss occured by the maker.
Summary
There is an attack vector where the maker can act as a taker for his own offer which can cause the buyers of the points to suffer loss and the maker to earn profit without settling any tokens.
Now additionally as the original maker in case of turbo mode doesn't settles correctly then the biders can call close bid toker function to get there bid amount back but in case of turbo mode there can various listing of different amounts i.e rate at which the points are sold can vary so if in this case the original maker doesn't settles correctly then it can cause loss of funds for the buyers.
Vulnerability Details
Lets suppose In the case of turbo mode originally 500 points were selling for 500 dollars. Now a taker takes the 250 points by paying 250 dollars and sells those 250 tokens to a buyer A for 300. Another taker buys the rest 250 tokens at 250 dollars and sells them at 300 dollars to a buyer B . So now the orginal maker fails the settlement. Now both buyer A and buyer b call the closeBidTaker function
Following calculations are used which gives back these buyers token which they used to buy the pionts.
So according to this usedAmount will be 500 and lets suppose intial collateral rate was 110 therefore collateral fee would be 550
userCollateralFee for buyer A and buyer B would be 275 therefore they purchased the points for 300 dollars but got back only 275 tokens therefore a loss for them.
Now i will provide an instance where this attack vector is possible for the maker where they occur no loss.
Note this is possible because the original maker can himself act as a taker of turbo mode and then list tokens and sell them at a rate higher than the collateral paid thus he wouldn't suffer any loss.
For example
Makers places an ask offer by paying 550 collateral fees selling 500 tokens at 500 dollars.
Now he calls create taker for his own offer and buy 500 tokens now as he is the taker so tokens are transferred to himself only so no loss of funds (ignoring platform fee which would be quite less as compared to the profit earned by this attack)
Now he sells the 500 tokens at a rate 600 or any amount which covers up his collateral.
Now he doesn't settles his original offer thus causing loss of funds for the buyer as explained above.
Plus he earns profit without even selling any of his tokens.
Not only this attack can worsen because as the maker can earn profit by acting as a taker so he doesn't settles the ask offer ever so the buyers can't even call the close bid taker function therefore full loss of funds.
Impact
A maker can cause the buyers to lose their funds without any risk.
Tools Used
Manual Review.
Recommendations
Don't allow the maker to be the taker in case of turbo mode.
Lead Judging Commences
finding-Premarkets-listOffer-turbo-settleAskMaker-exploit-settlement
Valid high severity, this allows resellers listing offers via `listOffer/relistOffer` to game the system. Based on the inherent design of Turbo mode not requiring takers making ask offers for the original maker offer to deposit collateral, the wrong refund of collateral to takers even when they did not deposit collateral due to turbo mode during settleAskMaker allows possible draining of pools.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.