Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Buyers can never recieve pointTokens and the accounting system of the protocol is broken due to a typo in the settleAskTaker function when adding balance.

touthang

Summary

In the DeliveryPlace contract, when settleAskTaker is called by a seller to settle pointTokens for the buyer, the function incorrectly updates the makerInfo.tokenAddress instead of the marketPlaceInfo.tokenAddress.

Vulnerability Details

The makerInfo's tokenAddress is the address of the token that is used as collateral or the advance payment, in this case it is the advance payment token made by the buyer.
Whereas, the marketPlaceInfo's tokenAddress is the address of the points tokens, as we can also confirm here and here.

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

makerInfo.tokenAddress,

settledPointTokenAmount

);

}

We can see from the code that when the seller tries to settle the pointTokens to the buyer the function will pull in the marketPlaceInfo.tokenAddress as the pointToken but call addTokenBalance with makerInfo.tokenAddress.

Impact

Buyers will never recieve the point tokens that they bought, instead they will get the same token they they used to pay the points. This will break the accounting system of the protocol since a pointsToken is added to the capital pool but the balance of a different token is increased.

The buyer's loss or gain due to this mistake will depend on multiple factors such as the initial ratio of points to amount, the tokenPerPoint and the actual price of the token, etc.

This mistake is also found in the closeBidTaker function.

Tools Used

manual

Recommendations

Change this line in settleAskTaker fucntion to:

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

- makerInfo.tokenAddress,

+ marketPlaceInfo.tokenAddress,

settledPointTokenAmount

);

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.