While listing an sub-offer abortOfferStatus is set into memory instead of storage.
Summary
While listing an sub-offer abortOfferStatus is set into memory instead of storage.
Vulnerability Details
When a taker wants to list his sub-offer using his stock then -
His stock's parent offer's offerInfo is fetched.
We can see that the location of the struct is storage.
After this line the makerInfo struct is fetched using the offerInfo struct. If the mode of trade is Turbo then abortOfferStatus of the original offer is changed to subOfferListed. The related code of these actions are here:
Here, we can see that original offer is fetched from makerInfo.originOffer, but unfortunately the originOfferInfo is initialized locally instead of globally, for that reason the status of originOfferInfo.abortOfferStatus will not not be changed in storage.
Tools Used
Manual review.
Recommendation
Related Links
Lead Judging Commences
finding-PreMarkets-listOffer-originIOfferInfo-storage-memory
Valid high severity, because the `abortOfferStatus` of the offer is not updated and persist through `storage` when listing an offer for turbo mode within the `offerInfoMap` mapping, it allows premature abortion given the `abortOfferStatus` defaults to `Initialized`, allowing the bypass of this [check](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L552-L557) here and allow complete refund of initial collateral + stealing of trade tax which can potentially be gamed for profits using multiple addresses
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.