Incorrect `authority` check in `abortBidTaker` function
Summary
In abortBidTaker function in the natspec says Only offer owner can abort bid taker, but the check is for stock.
Vulnerability Details
The Natspec documentation for abortBidTaker states:
/** * @notice abort bid taker
* @param _stock stock address
* @param _offer offer address
* @notice Only offer owner can abort bid taker
* @dev Only offer abort status is aborted can be aborted
* @dev Update stock authority refund amount */
This code checks if the caller (msg.sender) is the authority of the StockInfo, not the OfferInfo. The correct check should ensure that the caller is the authority of the offer specified by _offer.
Impact
The function allows any account that is the authority of the stock (rather than the offer) to abort a bid taker. This deviation from the intended access control could enable unauthorized users to abort bid takers, potentially disrupting the intended operation of the contract.
Tools Used
Recommendations
Update the abortBidTaker function to check if the caller (msg.sender) is the authority of the offer, as specified in the Natspec documentation. Modify the access control check as follows:
Lead Judging Commences
[invalid] finding-PreMarkets-abortBidTaker-wrong-stock-authority
Invalid. when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Hence, we should verify `stockInfoMap`, regardless of the taker order being a ASK (selling points) or BID (buying points) taker order, so there is no issue here, other than documentation error
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.