Vulnerability in abortBidTaker Function: Incorrect Calculation of depositAmount
Summary
A vulnerability has been identified in the abortBidTaker function of the smart contract. The error involves the incorrect calculation of the depositAmount variable, which affects how funds are managed during the abort process. The current implementation of the calculation is inaccurate, leading to potential financial discrepancies.
Vulnerability Details
The abortBidTaker function incorrectly calculates the depositAmount variable. The current implementation is:
Impact
The incorrect calculation of depositAmount can result in financial discrepancies during the abort process, potentially causing participants to receive incorrect amounts of funds. This issue can undermine the integrity of the contract and lead to unintended financial consequences.
Tools Used
Manual Code Review
Recommendations
To resolve this vulnerability, update the abortBidTaker function to use the corrected calculation for depositAmount. Implement the following change:
Lead Judging Commences
finding-PreMarkets-abortBidTaker-amount-wrong-StockInfo-points
Valid high severity, due to incorrect computation of `depositAmount` within `abortBidTaker`, when aborting bid offers created by takers, the collateral refund will be completely wrong for the taker, and depending on the difference between the value of `points` and `amount`, it can possibly even round down to zero, causing definite loss of funds. If not, if points were worth less than the collateral, this could instead be used to drain the CapitalPool contract instead.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.