Collateral token address instead of `PointToken` address in arguments
Summary
Due to incorrect address in the tokenManager.addTokenBalance function invoked the pointTokenAmount will be saved as collateral instead of PointToken. So users can not receive point tokens but can withdraw additional amounts of collateral which can cause inconsistency in the protocol token balances and users virtual balances. There are two instances of the issue.
Vulnerability Details
When sellers settle points the buyers internal point token balances should be also increased by invoking the tokenManager.addTokenBalance function.
This call updates the userTokenBalanceMap[_msgSender()][_tokenAddress][_tokenBalanceType] variable which is used to withdraw tokens. Since the makerInfo.tokenAddress variable contains the collateral token address users can not withdraw Point tokens.
Impact
Unexpected behavior, assets loses
Tools used
Manual Review
Recommendations
Consider using MarketPlaceInfo.tokenAddress instead of makerInfo.tokenAddress
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.