Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

offerId inconsistency in PreMarkets::createOffer()

dinkras

Summary

Vulnerability Details

In PreMarkets.createOffer() the offerId which is used for generating addresses starts with 0, and it is incremented each time this function is called.

When generating the virtual addresses initially offerId=0 is used

address makerAddr = GenerateAddress.generateMakerAddress(offerId);
address offerAddr = GenerateAddress.generateOfferAddress(offerId);
address stockAddr = GenerateAddress.generateStockAddress(offerId);

A couple of code lines later the offerId is incremented by 1. Now the new value is 1

offerId = offerId + 1;

Later in createOffer() a new entry for offerInfoMap and stockInfoMap are created. However the offerId assigned as id to them is not the same one which was used for generating their addresses(offerAddr, stockAddr).

offerInfoMap[offerAddr] = OfferInfo({
id: offerId,
stockInfoMap[stockAddr] = StockInfo({
id: offerId,

This creates an inconsistency between the id's of the mappings and the way their keys were generated. This might be confusing for the users.

Code snippets

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L67-L69

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L83

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L116-L117

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L134-L135

Impact

Inconsistency between the offerId which was used for generating the offer, stock addresses and the values for id in: offerInfoMap.id and stockInfoMap.id

Tools Used

Manual review

Recommendations

Increment the offerId at the end of createOffer(), not in the middle of the function

Updates

Lead Judging Commences

0xnevi Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-createOffer-offerId-increment-after

I believe this is valid low severity, although there is inconsistency here when using the correct `offerId` for assigning offerIds and generating the unique addresses as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L67-L69), this is purely an accounting error for offerIds. If we generate the offerId using current `offerId - 1`, the appropriate listing/taker orders can still be created against those offers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.