Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Due to incorrect implementation of `_depositTokenWhenCreateTaker()`

0xhunter

Summary

Fund transfer is incorrect due to incorrect implementation of _depositTokenWhenCreateTaker()

Vulnerability Details

The flow of the protocol is as follows: A user creates an offer to sell or buy 500 points for $500, with 1 point being worth$1.
Next, we call createTaker() to accept this proposal.

function createTaker(address _offer, uint256 _points) external payable {
...
_depositTokenWhenCreateTaker(
platformFee,
depositAmount,
tradeTax,
makerInfo,
offerInfo,
tokenManager
);
...
}

createTaker() calls _depositTokenWhenCreateTaker() to deposit assets.

function _depositTokenWhenCreateTaker(
uint256 platformFee,
uint256 depositAmount,
uint256 tradeTax,
MakerInfo storage makerInfo,
OfferInfo storage offerInfo,
ITokenManager tokenManager
) internal {
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
depositAmount,
@ false,
Math.Rounding.Ceil
);
transferAmount = transferAmount + platformFee + tradeTax;
tokenManager.tillIn{value: msg.value}(
_msgSender(),
makerInfo.tokenAddress,
transferAmount,
false
);
}

As you can see, parameter _isMaker is false.
Therefore when offerInfo.offerType is ask or bid, trasnferAmount is amount or collateralRate * amount.


Now let's look at the following scenario.
1)user calls createOffer to submit 500 points for $500 as bid.
but another create Taker to accept 500 points for$500 * collateralRate as ask.
2)user calls createOffer to submit 500 points for $500 * collateralRate as ask.
but another create Taker to accept 500 points for$500 as bid.

Impact

Fund transfer is incorrect due to incorrect implementation of _depositTokenWhenCreateTaker()

Tools Used

Mannual Review

Recommendations

_depositTokenWhenCreateTaker() is modified as follow.

function _depositTokenWhenCreateTaker(
uint256 platformFee,
uint256 depositAmount,
uint256 tradeTax,
MakerInfo storage makerInfo,
OfferInfo storage offerInfo,
ITokenManager tokenManager
) internal {
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
depositAmount,
--- false,
+++ true,
Math.Rounding.Ceil
);
transferAmount = transferAmount + platformFee + tradeTax;
tokenManager.tillIn{value: msg.value}(
_msgSender(),
makerInfo.tokenAddress,
transferAmount,
false
);
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-PreMarkets-closeBidMaker-isMaker--false

Invalid, the computations are correct, when taker close a bid offer, of type `Bid` represented in their stock, the offerType of maker must be that of `Ask` as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L137-L139) when the offer is created. In which `(_offerType == OfferType.Ask && _isMaker) ` will result in the following computations performed as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/libraries/OfferLibraries.sol#L44-L51), so the collateral will be refunded appropriately,

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.