Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect `offerId` when populating `OfferInfo` and `StockInfo` struct data in the `PreMarkets.createOffer()` function.

eeyore

Summary

The offerId is incremented before the entries in the offerInfoMap and stockInfoMap mappings are updated.

Vulnerability Details

The offerId = offerId + 1; update is performed before the offerInfoMap and stockInfoMap mappings are updated, leading to an incorrect offerId being used for OfferInfo.id and StockInfo.id.

File: PreMarkets.sol
83: offerId = offerId + 1; // <== premature update
...
116: offerInfoMap[offerAddr] = OfferInfo({
117: id: offerId, // <== incorrect value
...
134: stockInfoMap[stockAddr] = StockInfo({
135: id: offerId, // <== incorrect value

Impact

  • Incorrect data indexation.

Tools Used

Manual review.

Recommendations

Increment the offerId only after the offerInfoMap and stockInfoMap mappings have been updated.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-createOffer-offerId-increment-after

I believe this is valid low severity, although there is inconsistency here when using the correct `offerId` for assigning offerIds and generating the unique addresses as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L67-L69), this is purely an accounting error for offerIds. If we generate the offerId using current `offerId - 1`, the appropriate listing/taker orders can still be created against those offers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.