Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Refund calculation manipulation in ` abortAskOffer` : Excessive refunds due to insufficient validation

warrior

Summary

  • Root Cause: Insufficient validation of remainingAmount and transferAmount.

  • Impact: Funds at risk due to potential manipulation of refund amounts, leading to excessive refunds.

In the abortAskOffer function allows manipulation of refund calculations, potentially leading to excessive refunds and financial losses for the protocol.

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L584-L629

Insufficient validation of remainingAmount and transferAmount allows manipulation of refund calculations, leading to excessive refunds.

PoC

Detailed Step-by-Step Exploit Scenario for Refund Calculation Manipulation in abortAskOffer

Initial State

  1. Offer Creation:

    • A maker creates an offer with specific parameters (e.g., amount, points, collateralRate).

    • The offer is in the Virgin state, and the collateral is transferred to the contract.

  2. Taker Interaction:

    • One or more takers interact with the offer, using a portion of the points.

    • The offer's usedPoints is updated accordingly.

Step 1: Attacker Identifies Vulnerable Offer

  • The attacker identifies an offer that has been partially used but is still in a state where it can be aborted (Virgin or Canceled).

Step 2: Attacker Manipulates Points

  • The attacker manipulates the points used in the offer to create a scenario where the remainingAmount calculation becomes favorable.

  • For example, the attacker ensures that remainingAmount is calculated in such a way that it exceeds the actual amount that should be refunded.

Step 3: Attacker Calls abortAskOffer

  • The attacker calls the abortAskOffer function with the manipulated offer.

  • The function calculates remainingAmount and transferAmount based on the manipulated points.

Step 4: Refund Calculation

The function calculates the refund amount:

uint256 remainingAmount;
if (offerInfo.offerStatus == OfferStatus.Virgin) {
remainingAmount = offerInfo.amount;
} else {
remainingAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Floor
);
}
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
remainingAmount,
true,
Math.Rounding.Floor
);
uint256 totalUsedAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Ceil
);
uint256 totalDepositAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
totalUsedAmount,
false,
Math.Rounding.Ceil
);
///@dev update refund amount for offer authority
// @audit
uint256 makerRefundAmount;
if (transferAmount > totalDepositAmount) {
makerRefundAmount = transferAmount - totalDepositAmount;
} else {
makerRefundAmount = 0;
}
ITokenManager tokenManager = tadleFactory.getTokenManager();
tokenManager.addTokenBalance(
TokenBalanceType.MakerRefund,
_msgSender(),
makerInfo.tokenAddress,
makerRefundAmount
);

Step 5: Excessive Refund Issued

  • Due to the manipulated points and inadequate validation, the makerRefundAmount is calculated to be higher than it should be.

  • The attacker receives an excessive refund, draining more funds than they are entitled to.

Outcome

  • The attacker successfully exploits the refund calculation logic to receive an excessive refund.

  • The protocol loses funds due to the overpayment

Impact

for detail impact see above vulnerablity outcome

  • Exploiting this vulnerability can lead to excessive refunds, draining funds from the protocol.

Tools Used

manual code review

Recommendations

  • Add checks to ensure that the state transitions are consistent and valid.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.