Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

An attacker can exploit the system and extract value from other users without any collateral risk.

eeyore

Summary

There is no incentive for any user to settle their Ask offers because the revenue for the sold Points is accounted for the Maker ahead of time and not during the settlement process.

Vulnerability Details

Currently, the revenue for an Ask offer is credited to the Maker during the Take operation in the PreMarkets.createTaker() function:

File: PreMarkets.sol
934: if (offerInfo.offerType == OfferType.Ask) {
935: tokenManager.addTokenBalance( // <== revenue is credited to the Maker ahead of settlement.
936: TokenBalanceType.SalesRevenue,
937: offerInfo.authority,
938: makerInfo.tokenAddress,
939: _depositAmount
940: );
941: } else {

This contradicts the documentation here:
After it is settled, sellers will receive their initial collateral and buyer's funds.

The documentation implies that the Maker should be incentivized to settle, as buyers' funds would be refunded and also compensation from the initial collateral would be provided to them if the Maker does not settle.

However, in the current smart contracts, this is not implemented. Takers are barely refunded at the end, still losing funds in the form of fees (protocol and maker bonus).

Here is a scenario of how the system can be exploited:

  1. An attacker creates an Ask offer (of 1000 USDC value) with an undervalued Points price to attract Takers, depositing 1000 USDC as collateral. The catch is Bonus for Maker is set to 5-10%, and it could be a Turbo market to collect fees from all trades.

  2. Takers are attracted by the price and take the offer from the attacker.

  3. After the offer is filled, the attacker withdraws the revenue, which equals the collateral deposit, incurring no risk.

  4. The attacker repeats the attack by creating another offer.

  5. Right after TGE, the attacker either does not settle (as there is no risk for them; all collateral is extracted) or, if the Points are worth less than sold, settles and profits from the collateral refund.

The main attacker profits are from the fees collected from the Bonus for Maker tax.
But if the Points are worth less than sold, the attacker can also gain additional profit from settling, though this is not required for the attack to be profitable.

Thus, the attacker can exploit the system, extract value from other users, and spam the system with useless offers, leading to a lack of trust in the protocol in the future.

Impact

  • Funds extracted from other users.

  • Lack of proper incentive for settling in the system.

Tools Used

Manual review.

Recommendations

Do not account for the revenue for the Maker when the offer is Taken. The funds should only be released after settlement, and in the case of no settlement, the funds should be refunded to Takers with additional compensation from the collateral.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-DeliveryPlace-owner-do-not-call-settleAskMaker

Invalid, the makers are incentivized to settle offers to earn maker bonuses when subsequent takers and makers make trade using the original collateral put up for points as well as get back their initial collateral. Additionally, if they do not settle on time, they will lose all their initial collateral, forcing the `owner` to come in and perform the settlement and retrieving that collateral. This is noted as a design decision [here](https://tadle.gitbook.io/tadle/how-tadle-works/features-and-terminologies/settlement-and-collateral-rate) If all else fails, the `owner` can come in to settle as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L254-L256) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L365-L367) offers to allow closing offers and subsequently allowing refunds. I acknowledge that perhaps a more decentralized

Appeal created

eeyore Submitter
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.