Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Ineffective attempt to change `abort offer status` for `origin` offer in `Turbo` market in the `PreMarkets.listOffer()` function.

eeyore

Summary

There is an attempt to update the storage value of one of the elements from the offerInfoMap mapping, but memory is used instead of storage, rendering the update ineffective.

Vulnerability Details

In the PreMarkets.listOffer() function, a copy of the struct is made to memory instead of directly using the storage value:

File: PreMarkets.sol

335: if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

336: address originOffer = makerInfo.originOffer;

337: OfferInfo memory originOfferInfo = offerInfoMap[originOffer]; // <== memory is used

338:

339: if (_collateralRate != originOfferInfo.collateralRate) {

340: revert InvalidCollateralRate();

341: }

342: originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed; // <== incorrect update on memory, has no effect outside if

343: }

This leads to a situation where the origin offer in the Turbo market can be aborted, and part of its collateral can be retrieved by the Maker. As a result, all subsequent offers in that market will never be settled with Points tokens, leading to undercompensation.

Impact

Incorrect contract state.
Loss of funds for Takers in the Turbo market.

Tools Used

Manual review.

Recommendations

Use storage instead of memory for the originOfferInfo declaration.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-listOffer-originIOfferInfo-storage-memory

Valid high severity, because the `abortOfferStatus` of the offer is not updated and persist through `storage` when listing an offer for turbo mode within the `offerInfoMap` mapping, it allows premature abortion given the `abortOfferStatus` defaults to `Initialized`, allowing the bypass of this [check](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L552-L557) here and allow complete refund of initial collateral + stealing of trade tax which can potentially be gamed for profits using multiple addresses

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.