Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

marketplace online is not checked for abortBidTaker.

0xsandy

Summary

In the abortBidTaker() function, marketplace online status is not checked.

Vulnerability Details

function abortBidTaker(address \_stock, address \_offer) external {

StockInfo storage stockInfo = stockInfoMap\[\_stock];

OfferInfo storage preOfferInfo = offerInfoMap\[\_offer];

if (stockInfo.authority != _msgSender()) {

revert Errors.Unauthorized();

}

if (stockInfo.preOffer != _offer) {

revert InvalidOfferAccount(stockInfo.preOffer, _offer);

}

if (stockInfo.stockStatus != StockStatus.Initialized) {

revert InvalidStockStatus(StockStatus.Initialized, stockInfo.stockStatus);

}

if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {

revert InvalidAbortOfferStatus(AbortOfferStatus.Aborted, preOfferInfo.abortOfferStatus);

}

uint256 depositAmount = stockInfo.points.mulDiv(preOfferInfo.points, preOfferInfo.amount, Math.Rounding.Floor);

uint256 transferAmount = OfferLibraries.getDepositAmount(

preOfferInfo.offerType, preOfferInfo.collateralRate, depositAmount, false, Math.Rounding.Floor

);

MakerInfo storage makerInfo = makerInfoMap[preOfferInfo.maker];

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(TokenBalanceType.MakerRefund, _msgSender(), makerInfo.tokenAddress, transferAmount);

stockInfo.stockStatus = StockStatus.Finished;

emit AbortBidTaker(_offer, _msgSender());

}

Here, there is no check for whether the marketplace is online or not.

Impact

abortBidTaker() function can be called even when marketplace is offline which shouldn't be the case as every other functionality requires marketplace to be online.

Tools Used

Manual Analysis

Recommendations

Add the following check in the abortBidTaker() function:

MarketPlaceInfo memory marketPlaceInfo = systemConfig.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(block.timestamp, MarketPlaceStatus.Online);

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-PreMarkets-abortBidTaker-lack-check-abort

Informational, during emergencies, even if abortions are allowed, withdrawal can be paused and collateral cannot be pulled anyways (`whenNotPaused` modifier within `withdraw()`), so there is no impact here, given funds outflow can be paused.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.