Incorrect token address used in `DeliveryPlace.settleAskTaker()` function for settling `Points` tokens.
Summary
In the DeliveryPlace.settleAskTaker() function, when updating Points tokens for the Maker of the Bid offer, the address used in the tokenManager.addTokenBalance() function is the collateral token address instead of the Points token address.
Vulnerability details
Within the DeliveryPlace.settleAskTaker() function, there is an attempt to update the Points token balance for the Maker of the Bid offer:
However, instead of using marketPlaceInfo.tokenAddress, the code incorrectly uses makerInfo.tokenAddress. This mistake leads to direct manipulation of the user's balance and incorrect accounting.
Impact
Incorrect accounting.
Loss of user
Pointstokens (locked).Protocol loss in the form of collateral tokens (users can withdraw tokens that do not belong to them).
Tools Used
Manual review.
Recommendations
Use the correct marketPlaceInfo.tokenAddress when updating the user's Points token balance in the TokenManager contract.
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.