Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Invariant broken: `abortAskOffer` and `closeOffer` refunds the same amount of collateral

x18a6

Vulnerability Details

abortAskOffer should return the remaining collateral and closeOffer should return the initial collateral to MAKER. We demonstrate here that both of them return the remaining collateral in this coded PoC:

Proof of code

function test_poc() external {
CreateOfferParams memory offerParams = CreateOfferParams(
marketPlace, address(mockUSDCToken), 1000, 1 ether, 10000, 200, OfferType.Ask, OfferSettleType.Turbo
);
vm.prank(user);
//@note MAKER creates an offer.
preMarktes.createOffer(offerParams);
address offerAddr = GenerateAddress.generateOfferAddress(0);
address stockAddr = GenerateAddress.generateStockAddress(0);
//@note TAKER creates an order against MAKER's offer.
vm.prank(user2);
preMarktes.createTaker(offerAddr, 600);
uint256 snapshot = vm.snapshot();
//@note MAKER aborts his offer.
vm.prank(user);
preMarktes.abortAskOffer(stockAddr, offerAddr);
uint256 refundAmount1 =
tokenManager.userTokenBalanceMap(address(user), address(mockUSDCToken), TokenBalanceType.MakerRefund);
console2.log("Refund amount for maker: ", refundAmount1);
vm.revertTo(snapshot); // restores the state
//@note MAKER closes his offer.
vm.prank(user);
preMarktes.closeOffer(stockAddr, offerAddr);
uint256 refundAmount2 =
tokenManager.userTokenBalanceMap(address(user), address(mockUSDCToken), TokenBalanceType.MakerRefund);
console2.log("Refund amount for maker: ", refundAmount2);
assert(refundAmount1 == refundAmount2);
}
}

Output:

➜ 2024-08-tadle git:(main) ✗ forge test --mt test_poc8 -vv
[⠊] Compiling...
[⠘] Compiling 1 files with Solc 0.8.26
[⠃] Solc 0.8.26 finished in 3.71s
Ran 1 test for test/PreMarkets.t.sol:PreMarketsTest
[PASS] test_poc8() (gas: 929866)
Logs:
Refund amount for maker: 400000000000000000
Refund amount for maker: 400000000000000000
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 18.45ms (2.19ms CPU time)

Impact

Loss of funds

Tools Used

Foundry.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

[invalid] finding-PreMarkets-abortAskOffer-Canceled exploit

Note, #148, #826, #1784 all stems from the fact that order statuses are not appropriately updated when a taker order is created against a maker offer. If the status is switched to `Ongoing/Filled` respectively, the virgin checks will fail appropriately and subsequently all this issues will be fixed. They could possibly be duplicates, so leaving open for appeal. This actually is closely related to issue #148. If a taker has created an Bid/Ask offer agains a original maker offer and the Status is adjusted to Ongoing/Filled accordingly, then the abortion/cancellations cannot occur so this issue cannot be exploited.

Appeal created

0xbrivan2 Auditor
10 months ago
0xnevi Lead Judge
10 months ago
0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-PreMarkets-abortAskOffer-Canceled exploit

Note, #148, #826, #1784 all stems from the fact that order statuses are not appropriately updated when a taker order is created against a maker offer. If the status is switched to `Ongoing/Filled` respectively, the virgin checks will fail appropriately and subsequently all this issues will be fixed. They could possibly be duplicates, so leaving open for appeal. This actually is closely related to issue #148. If a taker has created an Bid/Ask offer agains a original maker offer and the Status is adjusted to Ongoing/Filled accordingly, then the abortion/cancellations cannot occur so this issue cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.