Tadle

Summary

The relistOffer function in the contract fails to enforce a critical business rule: when relisting a cancelled offer, the price must remain the same as the original listing. This omission allows users to manipulate offer prices during relisting.

Vulnerability Details

The relistOffer function does not include any checks or mechanisms to ensure that the relisted offer maintains the same price as its previous listing.

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L470C5-L527C1

The documentation clearly states: "If Dany decides to restore the listing, the offer price must remain $0.99 and cannot be changed." However, the current implementation of relistOffer does not enforce this rule.

See: https://tadle.gitbook.io/tadle/how-tadle-works/mechanics-of-tadle/protected-mode

The function signature relistOffer(address _stock, address _offer) does not include a price parameter, making it impossible to validate the price even if the check were to be implemented.

Proof of Concept:

1. User creates an offer to sell 1000 points at $1 per point.

2. User cancels the offer after selling 500 points.

3. User calls relistOffer for the remaining 500 points.

4. The offer is relisted successfully without any price validation.

5. User can potentially set a new price (e.g., $1.50 per point) for the relisted offer, violating the documented rule.

Impact

Without price validation, a user could cancel an offer and relist it at a significantly different price, potentially exploiting market conditions.

Tools Used

Manual review

Recommendations

Modify the relistOffer function to include price validation.