Summary

When a user creates an ask offer, he can call preMarktes::abortAskOffer to cancel it and retrieve his full collateral. Similarly, a bid taker should be able to call preMarktes::abortBidTaker to withdraw all of their collateral. However, due to a miscalculation of the depositAmount in the preMarktes::abortBidTaker function, users (bidTakers) are unable to withdraw the full amount of their funds.

Vulnerability Details

The miscalculation occurs in the following code, which determines the depositAmount for the bid taker:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L671

This calculation compute:

But should be :

This incorrect formula results in a significantly lower depositAmount, preventing the bid taker from withdrawing the full collateral they originally deposited.

Poof of Concept

1. Alice creates an ask offer:

• collateral = 10 000 usdc

• points = 1 000

1. Bob buys 100 points from Alice:

• collateral = 1 000 usdc

• points = 100

1. Alice calls abortAskOffer to retrieve her collateral.

2. bob then call abortBidTaker :

• the code process

• Calculation:

  depositAmount = ( 100 × 1000) / 10000 = 10

Bob is only able to claim 10 USDC, despite having originally deposited 1,000 USDC.

impact

• Bid takers like Bob may be unable to recover the full amount of their deposited collateral due to the miscalculation. This results in a direct financial loss for users, which can erode trust in the platform.

• The inability to withdraw full collateral can significantly damage the platform’s reputation. Users who experience losses may spread negative feedback, reducing the platform's credibility and deterring potential users.

Tools Used

manual review, foundry

Recommendations

To ensure that "bid takers" can withdraw the full amount of their deposited collateral, the depositAmount calculation in the abortBidTaker function should be corrected. Specifically, the following formula should be used: