Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Failure of calculating and settling the `settledPointTokenAmount` in the `settleAskMaker` and `settleAskTaker` Functions of `DeliveryPlace.sol` contract

eta

Summary

In the DeliveryPlace.sol contract, the settleAskMaker and settleAskTaker functions both check the _settledPoints variable, and if _settledPoints > 0, they trigger an error. This results in an ineffective check within these two functions. This prevents the proper execution of the functions, leading to the failure of calculating and settling the settledPointTokenAmount.

Vulnerability Details

In the DeliveryPlace.sol contract, the settleAskMaker and settleAskTaker functions both check the _settledPoints variable and trigger an error if _settledPoints > 0. However, the issue is that _settledPoints is a uint256 type, so it will always be >= 0. Since _settledPoints is used to calculate settledPointTokenAmount = marketPlaceInfo.tokenPerPoint * _settledPoints, the correct check should be to trigger an error if _settledPoints == 0.
src/core/DeliveryPlace.sol:settleAskMaker_L257

/**

* @notice Settle ask maker

* @dev caller must be offer authority

* @dev offer status must be Virgin or Canceled

* @dev market place status must be AskSettling

* @param _offer offer address

* @param _settledPoints settled points

function settleAskMaker(address _offer, uint256 _settledPoints) external {

...

if (status == MarketPlaceStatus.AskSettling) {

if (_msgSender() != offerInfo.authority) {

revert Errors.Unauthorized();

}

} else {

if (_msgSender() != owner()) {

revert Errors.Unauthorized();

}

@=> if (_settledPoints > 0) {

revert InvalidPoints();

}

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint *

_settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

}

...

src/core/DeliveryPlace.sol:settleAskTaker_L368

/**

* @notice Settle ask taker

* @dev caller must be stock authority

* @dev market place status must be AskSettling

* @param _stock stock address

* @param _settledPoints settled points

* @notice _settledPoints must be less than or equal to stock points

function settleAskTaker(address _stock, uint256 _settledPoints) external {

...

if (status == MarketPlaceStatus.AskSettling) {

if (_msgSender() != offerInfo.authority) {

revert Errors.Unauthorized();

}

} else {

if (_msgSender() != owner()) {

revert Errors.Unauthorized();

}

@=> if (_settledPoints > 0) {

revert InvalidPoints();

}

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint *

_settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

makerInfo.tokenAddress,

settledPointTokenAmount

);

}

...

Impact

The incorrect check in the settleAskMaker and settleAskTaker functions causes these functions to fail when _settledPoints is greater than zero, which is the expected valid case. This prevents the proper execution of the functions, leading to the failure of calculating and settling the settledPointTokenAmount. As a result, the contract cannot correctly process ask settlements, potentially causing disruptions in the marketplace and preventing users from successfully completing transactions.

Tools Used

Manual Review

Recommendations

It is recommended to modify the check to if _settledPoints == 0 to trigger an error, as shown below:

if (status == MarketPlaceStatus.AskSettling) {

if (_msgSender() != offerInfo.authority) {

revert Errors.Unauthorized();

}

} else {

if (_msgSender() != owner()) {

revert Errors.Unauthorized();

}

- if (_settledPoints > 0) {

+ if (_settledPoints == 0) {

revert InvalidPoints();

}

uint256 settledPointTokenAmount = marketPlaceInfo.tokenPerPoint *

_settledPoints;

ITokenManager tokenManager = tadleFactory.getTokenManager();

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

settledPointTokenAmount,

true

);

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.