Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Offer Status Check in `closeBidOffer` Function of `DeliveryPlace.sol` Contract

eta

Summary

In the DeliveryPlace.sol contract, the closeBidOffer function checks the offerStatus, and if it is not OfferStatus.Virgin, it throws an error. However, the issue is that the offerStatus needs to be Settling in order to proceed with closing a bid offer. This discrepancy prevents the closeBidOffer function from functioning as intended.

Vulnerability Details

In the DeliveryPlace.sol contract, the closeBidOffer function checks the offerStatus, and if offerInfo.offerStatus is not OfferStatus.Virgin, it throws an error. However, according to the comments in the function, the offerStatus should be Settling. This mismatch prevents the function from closing offers that are in the Settling state, making the closeBidOffer function unable to perform its intended role.
src/core/DeliveryPlace.sol:closeBidOffer_L32-L58

/**
* @notice Close bid offer
* @dev caller must be offer authority
* @dev offer type must Bid
@=> * @dev offer status must be Settling
* @dev refund amount = offer amount - used amount
*/
function closeBidOffer(address _offer) external {
(
OfferInfo memory offerInfo,
MakerInfo memory makerInfo,
,
MarketPlaceStatus status
) = getOfferInfo(_offer);
if (_msgSender() != offerInfo.authority) {
revert Errors.Unauthorized();
}
if (offerInfo.offerType == OfferType.Ask) {
revert InvalidOfferType(OfferType.Bid, OfferType.Ask);
}
if (
status != MarketPlaceStatus.AskSettling &&
status != MarketPlaceStatus.BidSettling
) {
revert InvaildMarketPlaceStatus();
}
@=> if (offerInfo.offerStatus != OfferStatus.Virgin) {
revert InvalidOfferStatus();
}
...

Impact

The mismatch in the closeBidOffer function prevents it from closing offers that are in the Settling state, rendering the function ineffective for its intended purpose. This issue impacts the contract's ability to properly manage and close offers that have reached the settling phase, potentially leading to unresolved transactions or other unintended consequences in the bidding process.

Tools Used

Manual Review

Recommendations

It is recommended to modify the condition to if (offerInfo.offerStatus != OfferStatus.Settling) as shown below:

/**
* @notice Close bid offer
* @dev caller must be offer authority
* @dev offer type must Bid
@=> * @dev offer status must be Settling
* @dev refund amount = offer amount - used amount
*/
function closeBidOffer(address _offer) external {
(
OfferInfo memory offerInfo,
MakerInfo memory makerInfo,
,
MarketPlaceStatus status
) = getOfferInfo(_offer);
if (_msgSender() != offerInfo.authority) {
revert Errors.Unauthorized();
}
if (offerInfo.offerType == OfferType.Ask) {
revert InvalidOfferType(OfferType.Bid, OfferType.Ask);
}
if (
status != MarketPlaceStatus.AskSettling &&
status != MarketPlaceStatus.BidSettling
) {
revert InvaildMarketPlaceStatus();
}
- if (offerInfo.offerStatus != OfferStatus.Virgin) {
+ if (offerInfo.offerStatus != OfferStatus.Settling) {
revert InvalidOfferStatus();
}
...
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-closeBidOffer-Virgin-Settling

Based on the current Tadle market system, the `Settling` status is never used (along with `Ongoing` and `Filled`), which is supposed to represent the state before settlement by original maker. While sementically, the `Virgin` status does not represent the correct phase to allow early closures before settlement, this issue does not have any current impact given technically the early closure of bid offers is still allowed. However, if we are basing it off of the correct status implementation (i.e. `Settling` phase appropriately updated when takers create offers), then the DoS will occur, essentially blocking any early closure of bids by subsequent makers, forcing them to follow through to final settlement. Unfortunately, none of these issues identify the correct pre-context mentioned above, but I believe medium severity is appropriate. Note for downgrade to low severity: Agree with above appeals and low severity, this is more of a status accounting error and does not have any impact, given the function of `closeBidOffer` is to withdraw the unused portion of sales proceeds. It can be executed as long as the TGE time has been reached, and it restricts the offer to be in a Virgin state. Since the statuses consistently do not utilize a switch from Vigin to Ongoing/Filled and the protocol can function appropriately even without the use of such statuses (presuming other bugs are fixed), the DoS impact will not occur.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.