Incorrect point token address in closeBidTaker & settleAskTaker
Summary
The point token address is incorrect in closeBidTaker(). This will cause the bidder cannot withdraw expected point tokens.
Vulnerability Details
In DeliveryPlace, when one ask maker finish settling via transferring settled point token into capitalPools, the bid taker can claim the expected bid taker via closeBidTaker().
In closeBidTaker(), we will calculate point token amount the bid reserves and update the bidder's token balance. The problem is that we update incorrect token address' balance. makerInfo.tokenAddress here means that the maker's collateral token, eg, USDC, USDT, or some other collateral. The correct point token address exists in marketPlaceInfo.tokenAddress.
Impact
Bidders cannot withdraw expected POINT token and can withdraw the same amount collateral token. The bidder may get profit or get loss based on different tokens' decimal and price.
And this will cause a series of bad impact. If the bidder withdraw this improper collateral token, some point tokens will be stuck in the capitalPool and the collateral tokens is insufficient.
Tools Used
Manual
Recommendations
Correct the point token address to marketPlaceInfo.tokenAddress.
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.