Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect `TokenBalanceType` used in the `DeliveryPlace.settleAskTaker()` and `DeliveryPlace.settleAskMaker()` functions.

eeyore

Summary

An incorrect TokenBalanceType is used when settling collateral refunds or compensation in the DeliveryPlace.settleAskTaker() function.
An incorrect TokenBalanceType is used when settling collateral refund in the DeliveryPlace.settleAskMaker() function.

Vulnerability Details

In the code:

File: DeliveryPlace.sol
301: tokenManager.addTokenBalance(
302: TokenBalanceType.SalesRevenue, // <== should be MakerRefund, this is refund, SalesRevenue was already added when Takers take offer
303: _msgSender(),
304: makerInfo.tokenAddress,
305: makerRefundAmount
306: );
File: DeliveryPlace.sol
400: if (_settledPoints == stockInfo.points) {
401: tokenManager.addTokenBalance(
402: TokenBalanceType.RemainingCash, // <== should be MakerRefund, as _msgSender() is at this point a collateral provider
403: _msgSender(),
404: makerInfo.tokenAddress,
405: collateralFee
406: );
407: } else {
408: tokenManager.addTokenBalance(
409: TokenBalanceType.MakerRefund, // <== should be RemainingCash, as this is compensation for missing points
410: offerInfo.authority,
411: makerInfo.tokenAddress,
412: collateralFee
413: );
414: }

Impact

Incorrect accounting in the TokenManager contract.

Tools Used

Manual review.

Recommendations

Use correct TokenBalanceType values in the code.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-DeliveryPlace-settleAskMaker-addTokenBalance-wrong-TokenBalanceType

Valid low severity, while the token type inputted is wrong, userTokenBalanceMap is still incremented appropriately, so users can still withdraw their funds. So this would technically only affect accounting and public view functions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.