Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Authorization Checks in contract DeliveryPlace

administrator

Hello Tadle,

The authorization checks in settleAskMaker and settleAskTaker are based on the offerInfo.authority and _msgSender(). However, the logic differentiates between whether the caller is the authority or the owner, but this is not consistent or secure.
For instance, the fallback to checking owner() in cases where the MarketPlaceStatus is not AskSettling might unintentionally allow unauthorized access if the owner is compromised or if the market status is manipulated.

Solution: Improve the authorization logic by ensuring consistent and strict checks. Consider using a role-based access control mechanism, such as OpenZeppelin’s AccessControl, to define clear roles and permissions.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.