Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Wrong checks in `MarketplaceLibraries::getMarketPlaceStatus(...)` may disrupt marketplaces lifecycle

x18a6

Summary

A flaw in the MarketplaceLibraries::getMarketPlaceStatus(...) function incorrectly determines when settlement is active, may disrupt marketplaces lifecycle.

Vulnerability Details

The main problems are:

  • Incorrect interpretation of tge == 0 as "settlement not active" instead of "marketplace not initialized", as tge once initialized is always a timestamp in the future !0. If you really want to check for "settlement not active", the check should be if _blockTimestamp < _marketPlaceInfo.tge because settlements starts AFTER the token generation event.

  • Lack of explicit handling for the Online status. Which must be the case since the status is neither of Uninitialized, Offline, AskSettling, BidSettling.

Impact

Disruption of marketplaces lifecycle. These issues could lead to incorrect marketplace status reporting, affecting various operations that depend on the accurate determination of the marketplace's current state.

Tools Used

Manual review.

Recommendations

Fix MarketplaceLibraries::getMarketPlaceStatus(...):

function getMarketPlaceStatus(uint256 _blockTimestamp, MarketPlaceInfo memory _marketPlaceInfo)
internal
pure
returns (MarketPlaceStatus _status)
{
if (_marketPlaceInfo.status == MarketPlaceStatus.Offline) {
return MarketPlaceStatus.Offline;
}
- /// @dev settle not active
+ /// @dev marketplace is not initialized
if (_marketPlaceInfo.tge == 0) {
- return _marketPlaceInfo.status;
+ return MarketPlaceStatus.UnInitialized;
}
if (_blockTimestamp > _marketPlaceInfo.tge + _marketPlaceInfo.settlementPeriod) {
return MarketPlaceStatus.BidSettling;
}
if (_blockTimestamp > _marketPlaceInfo.tge) {
return MarketPlaceStatus.AskSettling;
}
- return _marketPlaceInfo.status;
+ return MarketPlaceStatus.Online;
}

Validate TGE:

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
...
+ if(_tge < block.timestamp) revert();
marketPlaceInfo.tge = _tge;
...
}
Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.