Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

[H-4] `PreMarkets::abortOffer` will refund more amount to the creater than intended

nilay27

Description:

In PreMarkets we have abortOffer which is used to by createOffer(ask) or listOffer() creators to abort the ongoing deal.

If the offer is still Virgin and no deals have been conducted, then there are no issues as the entire amount submitted as collateral needs to be refunded.

however, when the some points are used i.e ideally the offerstatus should set to Ongoing, however it is never set so in the contract.

Thus despite having fare share of offers matched, the creater can still call abort and get entire amount as refund.

Proof of concept:

As per the code snippet below, lets say if a user lists 2000 points for 50 usdc and has 40 usdc worth of trades matched, hence the usedPoints will be (4/5) * 2000, 1600, however since the status is bever changed, the remaining amount will still be 2000.

This will cause issue in calculating further data as transferAmount is dependent on remainingAmount and so on.
At the end the makerRefund amount will be excessive and this can be used by the taker to start draining the capital pool

uint256 remainingAmount;

if (offerInfo.offerStatus == OfferStatus.Virgin) {

remainingAmount = offerInfo.amount;

} else {

// @audit high!

// offerstatus is never changed to ongoing!

// so always full amount returned!

remainingAmount = offerInfo.amount.mulDiv(

offerInfo.usedPoints,

offerInfo.points,

Math.Rounding.Floor

);

}

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate,

remainingAmount,

true,

Math.Rounding.Floor

);

uint256 totalUsedAmount = offerInfo.amount.mulDiv(

offerInfo.usedPoints,

offerInfo.points,

Math.Rounding.Ceil

);

uint256 totalDepositAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate,

totalUsedAmount,

false,

Math.Rounding.Ceil

);

///@dev update refund amount for offer authority

uint256 makerRefundAmount;

if (transferAmount > totalDepositAmount) {

makerRefundAmount = transferAmount - totalDepositAmount;

} else {

makerRefundAmount = 0;

}

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(

TokenBalanceType.MakerRefund,

_msgSender(),

makerInfo.tokenAddress,

makerRefundAmount

);

Recommended Mitigation:

Change the code to following:
Whenever the createTaker() is executed, change the offerStatus from Virgin to Ongoing!

Updates

Lead Judging Commences

0xnevi Lead Judge

12 months ago

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.