Summary

The PreMarket::settleAskTaker is responsible for settling an offer and updating associated stock information. However, the function does not include validation checks to ensure that the _offer and _stock parameters are not zero addresses. This omission could lead to unintended behaviors, including the alteration of unintended storage variables, potential loss of funds, and unexpected contract states.

Vulnerability Details

The vulnerability arises because the _offer and _stock parameters are passed directly into the function without validation. If an attacker or a user unintentionally passes a zero address (0x0000000000000000000000000000000000000000) as either of these parameters, the function will still execute and update storage mappings for the zero address. Specifically:

** Zero Address in _offer:**

• The function will incorrectly increment the settledPoints and settledPointTokenAmount for the zero address in the offerInfoMap, leading to corruption of data related to the zero address.

• Zero Address in _stock:

  • The function will set the stockStatus for the zero address in the stockInfoMap to Finished, again potentially corrupting state and data related to the zero address.

Impact

If a zero address is passed for _offer or _stock, it could lead to unintended modifications of storage variables.

• This could potentially corrupt the contract's state or cause unexpected behavior in other parts of the contract that rely on these storage variables.

• In extreme cases, it might allow malicious actors to manipulate the contract's state in unintended ways.

Tools Used

Manual Review

Recommendations

Implement zero address checks at the beginning of the function:

These checks will revert the transaction if zero addresses are provided, preventing potential issues.