Wrong token is sent to taker when he closing his bid type stock
Summary
Wrong token is sent to taker when he closing his bid type stock
Vulnerability Details
To close a bid type stock taker calls closeBidTaker() in DeliveryPlace.sol contract, the pointTokenAmount is sent to taker in this way:
But you can see here that the token was used for transfer is makerInfo.tokenAddress which is the token which was used to deposit collateral. The correct token will be MarketPlaceInfo.tokenAddress.
Tools Used
Manual review.
Recommendations
Implement this:
Related Links
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.