Submission Details
Severity:
``abortOfferStatus`` is never changed in ``listOffer()``.
Summary
abortOfferStatus is never changed in listOffer().
Vulnerability Details
In the listOffer() function,
function listOffer(address _stock, uint256 _amount, uint256 _collateralRate) external payable {
---SNIP---
/// @dev change abort offer status when offer settle type is turbo
if (makerInfo.offerSettleType == OfferSettleType.Turbo) {
address originOffer = makerInfo.originOffer;
OfferInfo memory originOfferInfo = offerInfoMap[originOffer];
// @audit-issue why memory?
if (_collateralRate != originOfferInfo.collateralRate) {
revert InvalidCollateralRate();
}
originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;
}
}
---SNIP---
if offerSettleType == turbo, abortOfferStatus is set to SubOfferListed but due to originOfferInfo being memory, change is never updated.
Also, even if it was storage, it is overridden here:
offerInfoMap[offerAddr] = OfferInfo({
id: stockInfo.id,
authority: _msgSender(),
maker: offerInfo.maker,
offerStatus: OfferStatus.Virgin,
offerType: offerInfo.offerType,
abortOfferStatus: AbortOfferStatus.Initialized,
points: stockInfo.points,
amount: _amount,
collateralRate: _collateralRate,
usedPoints: 0,
tradeTax: 0,
settledPoints: 0,
settledPointTokenAmount: 0,
settledCollateralAmount: 0
});
Impact
status is never changed for turbo type.
Tools Used
Manual Analysis
Recommendations
change the storage location from memory to storage and have a check for settle type while setting the struct at the end.
Prize pool breakdown
Total prize
30,000 USDC
nSLOC
1,22924 USDC / LOC
25,000 USDC
2,750 USDC
2,250 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.