PreMarkets::abortBidTaker allows unexpected amount of tokens to be refund by aborters
Summary
PreMarkets::abortBidTaker adds unexpected amount of tokens into callers withdrawable balance, due to bad depositedAmount calculation
Vulnerability Details
Let's have a scenario
Alice creates askOffer and Bob makes bidOrder on it and he deposits
Xamount of underlying token and based on point/amount Ratio, now he haveX*Ratiopoints recorded in his stockInfo.After some time Alice decides to abort her offer, by calling
PreMarkets::abortAskOffer, now the abortStatus of her offer is marked as AbortedNow the only think that Bob can do to get his
Xamount of funds back is to executePreMarkets::abortBidTaker
But because of this calculation:
Bob now is able to withdraw X * (Ratio^2) amount of underlying tokens instead of the expected X amount
Impact
Loss of funds for protocol users that deposited funds into CapitalPool, due to aborters too big refund allowance
Tools Used
Manual review
Recommendations
Lead Judging Commences
finding-PreMarkets-abortBidTaker-amount-wrong-StockInfo-points
Valid high severity, due to incorrect computation of `depositAmount` within `abortBidTaker`, when aborting bid offers created by takers, the collateral refund will be completely wrong for the taker, and depending on the difference between the value of `points` and `amount`, it can possibly even round down to zero, causing definite loss of funds. If not, if points were worth less than the collateral, this could instead be used to drain the CapitalPool contract instead.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.