Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Partial settlement in the `DeliveryPlace.settleAskTaker()` function can result in a loss of funds for the Taker of the Bid offer.

eeyore

Summary

In the case of a partial settlement in the DeliveryPlace.settleAskTaker() function, the Taker of the Bid offer will transfer Points tokens to settle the Bid offer. Unfortunately, this transfer will not reduce the collateral based on the settled amount. As a result, the Taker will lose both the deposited collateral and the Points tokens transferred for settlement, because the stock will be updated to the status Finished, preventing a full settlement.

Vulnerability Details

In the DeliveryPlace.settleAskTaker() function, there is a check:

File: DeliveryPlace.sol

356: if (_settledPoints > stockInfo.points) {

357: revert InvalidPoints();

358: }

This check indicates that _settledPoints can range from 0% to 100% of stockInfo.points. However, if the Taker of the Bid offer opts for a partial settlement (0 < _settledPoints < stockInfo.points), all transferred Points tokens will be lost. Additionally, the Taker will not be able to settle the stock in full, leading to the loss of their entire collateral and the Points tokens, which will be distributed to the Maker of the Bid offer as compensation.

This issue arises because after calling the DeliveryPlace.settleAskTaker() function, the stock status will be set to Finished, and all settled Points tokens will be allocated to the Maker. Consequently, the Taker's collateral will not be proportionally reduced.

Impact

The Taker of the Bid offer will lose funds in the form of Points tokens and collateral tokens proportional to the settled Points tokens.

Tools Used

Manual review.

Recommendations

Prevent partial settlements by requiring either 0 _settledPoints or the full amount of stockInfo.points.

OR
If partial settlements are permitted, adjust the collateral used for compensation and refund a portion to the Taker proportional to the transferred _settledPoints amount.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-settleAskMaker-partial-settlements

Valid high, in settleAskTaker/settleAskMaker, if the original offer maker performs a partial final settlement, the existing checks [here](https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L356-L358) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L230-L232) will cause an revert when attempting to complete a full settlement, resulting in their collateral being locked and requiring a rescue from the admin. To note, although examples in the documentation implies settlement in a single click, it is not stated that partial settlements are not allowed, so I believe it is a valid user flow.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.