Submission Details
Severity:
Incorrect Calculation of Remaining Amount for Canceled Offers with zero used points in `PreMarkets.sol::abortAskOffer` Function
## Summary
The `abortAskOffer` function contains an incorrect calculation for the `remainingAmount` when transitioning an offer from the `Virgin` status to the `Canceled` status, which may result in financial discrepancies and inaccurate refund amounts. The issue lies in the calculation logic, where the remainingAmount does not accurately reflect the unused portion of the offer when `usedPoints` is zero.
## Vulnerability Details
In the `abortAskOffer` function the `remainingAmount` is calculated as follows:
```solidity
uint256 remainingAmount;
if (offerInfo.offerStatus == OfferStatus.Virgin) {
remainingAmount = offerInfo.amount;
} else {
remainingAmount = offerInfo.amount.mulDiv(
offerInfo.usedPoints,
offerInfo.points,
Math.Rounding.Floor
);
}
```
This calculation is incorrect for offers with zero `usedPoints` that has `canceled` status because `Math.Rounding.Floor` could cause a loss for the user. The `remainingAmount` should be the total amount if no points have been used, ensuring that the sum of used and remaining amounts equals the total amount. The correct calculation should explicitly handle the case where `usedPoints` is zero:
```solidity
uint256 remainingAmount;
if (offerInfo.offerStatus == OfferStatus.Virgin || offerInfo.usedPoints == 0) {
remainingAmount = offerInfo.amount;
} else {
...
}
```
## Impact
This issue can lead to financial discrepancies where the remaining amount does not correctly represent the unused portion of the offer. This might result in incorrect refund amounts being calculated and credited to the offer authority. Consequently, users may receive less than they are entitled to, causing potential financial losses and undermining the protocol's trust and reliability.
## Tools Used
Manual code review and logic analysis.
## Recommendations
Update the calculation for the `remainingAmount` to correctly reflect the unused portion of the offer. The revised calculation should be:
```solidity
uint256 remainingAmount;
if (offerInfo.offerStatus == OfferStatus.Virgin || offerInfo.usedPoints == 0) {
remainingAmount = offerInfo.amount;
} else {
...
}
```
## Severity
Considering the financial impact and the potential for incorrect refunds, this issue is of **medium** severity. It does not pose an immediate critical risk but can lead to financial inaccuracies and undermine user trust in the protocol if left unaddressed. Addressing this issue promptly will ensure that users receive accurate refunds, maintaining the integrity and reliability of the platform.
Updates
Lead Judging Commences
0xnevi about 1 year ago
Submission Judgement Published Assigned finding tags:
[invalid] finding-PreMarkets-abortAskOffer-remainingAmount-compute
Valid high, for cancelled offers, the unused collateral should be returned back to the maker. The `remainingAmount` is calculated wrongly with regards to usedPoints instead of unused points. Note: See comments under 826 and 907 for invalidation reasons
Appeal created
0xnevi about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
[invalid] finding-PreMarkets-abortAskOffer-remainingAmount-compute
Valid high, for cancelled offers, the unused collateral should be returned back to the maker. The `remainingAmount` is calculated wrongly with regards to usedPoints instead of unused points. Note: See comments under 826 and 907 for invalidation reasons
Prize pool breakdown
Total prize
27,750 USDC
nSLOC
1,22923
USDC / LOC
25,000 USDC
2,750 USDC
2,250 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.