Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Slippage Protection in Settlement Functions

bauchibred

Summary

The DeliveryPlace contract's settleAskMaker and settleAskTaker functions lack slippage protection mechanisms. This omission can lead to unfavorable trades for users in volatile market conditions, potentially resulting in significant financial losses.

Vulnerability Details

The vulnerability stems from the use of a fixed tokenPerPoint value when calculating the settled amount, without considering market price fluctuations between offer creation and settlement.

See

function settleAskMaker(address _offer, uint256 _settledPoints) external {

// ... (other code)

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint * _settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

}

// ... (rest of the function)

}

Similarly, in the settleAskTaker function:

function settleAskTaker(address _stock, uint256 _settledPoints) external {

// ... (other code)

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint * _settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

// ... (rest of the function)

}

In both functions, marketPlaceInfo.tokenPerPoint is used as a fixed value to calculate the settled amount. This approach doesn't account for potential market price changes between the time an offer is made and when it's settled.

Impact

The lack of slippage protection can lead to several negative outcomes:

Financial losses for users due to unfavorable trade execution in volatile markets.
Potential for market manipulation, where malicious actors could exploit price fluctuations to their advantage.
Reduced user trust in the platform due to unexpected trade outcomes.
In extreme cases, significant value loss for the protocol if large trades are executed at unfavorable rates.

Tools Used

Manual review

Recommendations

Modify the settlement functions to accept a minimum acceptable rate parameter:

pseudo fix below

function settleAskMaker(address _offer, uint256 _settledPoints, uint256 _minTokenPerPoint) external {

// ... existing checks ...

uint256 currentTokenPerPoint = getCurrentTokenPerPoint(); // Implement this function

require(currentTokenPerPoint >= _minTokenPerPoint, "Slippage exceeded");

uint256 settledPointTokenAmount = currentTokenPerPoint * _settledPoints;

// ... rest of the function ...

}

Also consider implementing a getCurrentTokenPerPoint() function that fetches the current market rate from a reliable oracle or price feed.

Add similar protection to the settleAskTaker function.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.