Tadle

Summary

The trader can create one taker to match with one offer. And the offer address is generated via address(uint160(uint256(keccak256(abi.encode(_id, "maker"))))). If re-org happens in some Layer2 network, one maker can own the original offer address via front-run the original offer.

Vulnerability Details

In readme, the sponsor mentions that the Tadle is for Ethereum and any EVM. In some EVM, especially some Layer2 network, such as Arbitrum, the re-org behavior is possible and need to be considerred.

In Tadle, the maker can create one offer via createOffer(), one offer address will be generated via generateMakerAddress(). The offer address is only related with the offerId. And the taker can match with this offer to trade the points.

If re-org happens, malicious maker can createOffer() via frontrun the original createOffer() and then the original taker will match with the malicious maker's offer. This may cause taker's fund loss.

For example:

1. Alice creates one offer. And the offer address is X.

2. Bob creates one taker to match with offer X.

3. Re-org happens, Cathy monitors this event, and create one offer, and the offer address is X.

4. Alice's create offer transaction is executed, the Alice's new offer address is Y.

5. Bob's transaction is executed, Bob will buy Cathy's points.
   Noted that when the maker creates one offer, the tradeTax and point price, specific market can be defined with the maker. Bob may buy unexpected market point or pay more tax for it if the bob has approved enough allowance for this contract.

Impact

Users may buy some unexpected points or pay more for the points.

Tools Used

Manual

Recommendations

When we create one offer address, considering adding msg.sender, amount, marketplace as the salt. Then even if re-org happens, the taker will not interact with one unexpected offer.