Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Block Reorganization May Lead to Incorrect Offer Fulfillment to Taker

cryptomoon

Summary

The createTaker function is vulnerable to issues caused by block reorganization (block reorg), which could lead to incorrect offer fulfillment for takers. Block reorgs occur when a different version of the blockchain becomes the longest chain, potentially altering the sequence of transactions. Due to this issue, takercan fulfill wrong offerif there is re-org in offer creation.

Vulnerability Details

The createOfferfunction is used to create new offer by maker. It creates the offerwhich is address corresponding to offerId. takercan call createTaker(address _offer, uint256 _points). Due to block-reorg, the taker can pass _offerwhich can be different from what the takerintends. Below is scenario based POC to understand the issue in detail:

Scenario based POC

Let's assume offerIdbefore this is: 13(can be any number and following scenarios will hold for any initial offerId)

Transaction T1: Maker M1lists bid offer to buy 100 pointsin marketplace MP1with collateral rate of 110% for amount 1000 USDC . offerIdcorresponding to this offer is 13.
Transaction T2: Maker M2lists bid offer to buy 100 pointsin marketplace MP2 with collateral rate of 110% for amount 1000 USDC.offerIdcorresponding to this offer is 14.
Transaction T3: Taker T1 calls createTakeron offerId = 13and points = 100. So, T1will deposit collateral of 1000 * 110% = 1100 USDCand gets the stock corresponding to the offerId = 15for marketplace MP1.

Now, let's assume block-reorg happens and re-ordering happens as T2 -> T1 -> T3:

offerIdwill be 13as mentioned earlier:

Transaction T2: Maker M2lists bid offer to buy 100 pointsin marketplace MP2 with collateral rate of 110% for amount 1000 USDC.offerIdcorresponding to this offer is 13.
Transaction T1: Maker M1lists bid offer to buy 100 pointsin marketplace MP1with collateral rate of 110% for amount 1000 USDC . offerIdcorresponding to this offer is 14.
Transaction T3: Taker T1 calls createTakeron offerId = 13and points = 100. So, T1will deposit collateral of 1000 * 110% = 1100 USDCand gets the stock corresponding to the offerId = 15for marketplace MP2. (VULNERABILITY)

So, as you can check, the takerT1bought the points which he doesn't intend to buy due to block-reorg.

The vulnerability is more severe if taker T1has infinite-allowance of tokens or allowance more than required. In that case, the takerorder will be filled for more amount and takerwill need to pay for that.

Impact

takercan fill different offers in marketplace which they don't intend to. Also, the taker can have loss of funds if different offer with more than intended amount is filled(and there is prior-allowance to contract)

Tools Used

Manual review

Recommendations

Along with offerand points, createTakershould also take arguments of marketplaceand amount(collateral)which they wanted to get filled with.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-PreMarkets-createTaker-reorg

Invalid, the taker should be creating a taker offer for an already existing maker offer that has been finalized, i.e. createOffer has been successfully executed before reorg occurs, so this is a non-issue

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.