Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Listing of Offers will fail because of error in generating offer address.

joshuajee

Summary

When listing an offer, the new offer address is generated with the offerId that is stored in the stockInfoMap mapping, the problem is that this address can become occupied by another offer before the listing which will prevent the listing this offer.

Vulnerability Details

Users create offers by calling the createOffer function, this function generates makerAddr, offerAddr, and stockAddr addresses based on the current offerId.

For example offerId is 1

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L66

address makerAddr = GenerateAddress.generateMakerAddress(offerId);
address offerAddr = GenerateAddress.generateOfferAddress(offerId);
address stockAddr = GenerateAddress.generateStockAddress(offerId);

Then it increases the offerId by one, so offerId is currently 2.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L83

offerId = offerId + 1;

While the addresses were generated with the previous offerId of 1, but the new offerId of 2 will be saved in both the offerInfoMap and stockInfoMap mappings.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L116

offerInfoMap[offerAddr] = OfferInfo({
@-> id: offerId,
authority: _msgSender(),
...

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L134

stockInfoMap[stockAddr] = StockInfo({
@-> id: offerId,
stockStatus: StockStatus.Initialized,
...

Another user creates an offer, the above process will be repeated, and the current offerId will be 3, while the makerAddr, offerAddr, and stockAddr addresses will be generated with the value of 2.

When the user tries to list the first offer they are going to encounter a revert because listOffer first, read the stockInfo from the stockInfoMap mapping.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L308

StockInfo storage stockInfo = stockInfoMap[_stock];

Then it generates the offerAddress from the stockInfo.id, but the stockInfo.id is 2, and the second offer was created with the same value. So at the time of calling the listOffer function the offerInfoMap[2] is not empty, and the following check will revert with OfferAlreadyExist.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L364

address offerAddr = GenerateAddress.generateOfferAddress(stockInfo.id);
if (offerInfoMap[offerAddr].authority != address(0x0)) {
revert OfferAlreadyExist();
}

Impact

When this happens nobody will be able to list that particular offer

Tools Used

Manual Analysis

Recommendations

Use the offerId variable to generate the address

- address offerAddr = GenerateAddress.generateOfferAddress(stockInfo.id);
+ address offerAddr = GenerateAddress.generateOfferAddress(offerId);

Then increase the variable

+ offerId++;
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-createOffer-offerId-increment-after

I believe this is valid low severity, although there is inconsistency here when using the correct `offerId` for assigning offerIds and generating the unique addresses as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L67-L69), this is purely an accounting error for offerIds. If we generate the offerId using current `offerId - 1`, the appropriate listing/taker orders can still be created against those offers.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.