`settleAskMaker` stricts check the current `_settledPoints` sent to total used points instead of the current requirement as point token is accepted in multiple passes
Summary
The
settleAskMakerallows the offer authority to settle points and allows the authority to deposit the points in multiple passes, so they can deposit the whole amount at once or in multiple turns.When full settle amount is sent, it updates the offer status to settled, but if it is settled in multiple passes and even the point tokens amount reaches to the target
usedPoints, then also it doesn't give back the collateral to the offer authority due to incorrect check implemented, which only allows collateral refund only if amount is transferred in one go, but as it accepts amount to be transferred in multiple passes then it should refund the collateral token at a pass at which full point token is distributed.
Vulnerability Details
The vulnerability is present in the settleAskMaker function where it doesn't refund the collateral to the offer's authority when point token distributed in multiple passes and only allows collateral refund only if whole amount is transferred in one go when following condition is satisfied.
-
As a result of which the offer's authority will never be able to claim a refund of collateral if they try to send it in multiple passes.
Here, theofferInfo.usedPointsshould be compared with the previous deposit points set via theofferInfo.settledPoints. -
Also, another vulnerability exist when updating the
settledPointsand other related parameters viasettledAskOffer, as it doesn't increment the parameters but just updates them leading to incorrect accounting. The parameters will reflect incorrect value and lead to disturbed accounting due to just setting them to value sent instead incrementing them. -
Also, in settledAskOffer, there is no updation related to
settledCollateralAmountwhich should be updated when collateral is sent.
Impact
Incorrect parameter updation instead of incrementing in
settledAskOfferleads to incorrect accounting.Incorrect check in
settleAskMakerto only allow collateral refund only if the whole points are distributed by offer's authority, which leads to not getting the collateral refund when they try to send the point token in multiple passes.
Tools Used
Manual Review
Recommendations
Step 1: Update the parameters in settledAskOffer to be incremented by the values, as below
function settledAskOffer(
address _offer,
uint256 _settledPoints,
uint256 _settledPointTokenAmount
) external onlyDeliveryPlace(tadleFactory, _msgSender()) {
OfferInfo storage offerInfo = offerInfoMap[_offer];
offerInfo.settledPoints += _settledPoints;
offerInfo.settledPointTokenAmount += _settledPointTokenAmount;
Step 2: In settleAskMaker update the below check as:
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-settleAskMaker-partial-settlements
Valid high, in settleAskTaker/settleAskMaker, if the original offer maker performs a partial final settlement, the existing checks [here](https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L356-L358) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L230-L232) will cause an revert when attempting to complete a full settlement, resulting in their collateral being locked and requiring a rescue from the admin. To note, although examples in the documentation implies settlement in a single click, it is not stated that partial settlements are not allowed, so I believe it is a valid user flow.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.