Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect credit of point tokens in `settleAskTaker` and `closeBidTaker` functions

0xbrivan2

Summary

The settleAskTaker and closeBidTaker functions in DeliveryPlace incorrectly credit the collateral token instead of the point token during settlement

Vulnerability Details

During the settlment period, bidder takers call settleAskTaker to settle the points they sold to bid offer makers. The issue is that the function incorrectly credits the collateral token to the offer makers' balance instead of the point token.

function settleAskTaker(address _stock, uint256 _settledPoints) external {

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

(

OfferInfo memory offerInfo,

MakerInfo memory makerInfo,

MarketPlaceInfo memory marketPlaceInfo,

MarketPlaceStatus status

) = getOfferInfo(stockInfo.preOffer);

//...

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress, // @audit the taker is correctly depositing the point token

settledPointTokenAmount,

true

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

>>> makerInfo.tokenAddress, // @audit WRONG, we are crediting the collateral token instead of the point token

settledPointTokenAmount

);

}

// ...

}

In the above code, the function correctly deposits the point token from the taker with tokenManager.tillIn(_msgSender(), marketPlaceInfo.tokenAddress, settledPointTokenAmount, true). However, it mistakenly credits the offer maker with the collateral token (makerInfo.tokenAddress) instead of the point token (marketPlaceInfo.tokenAddress):

tokenManager.addTokenBalance(TokenBalanceType.PointToken,offerInfo.authority,

makerInfo.tokenAddress, // @audit WRONG, we are crediting the collateral token instead of the point token

settledPointTokenAmount

);

This issue also appears in the closeBidTaker function, where ask takers attempting to claim their point tokens after the settlement are incorrectly credited with the collateral token:

function closeBidTaker(address _stock) external {

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

ITokenManager tokenManager = tadleFactory.getTokenManager();

StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

// ...

uint256 pointTokenAmount = offerInfo.settledPointTokenAmount.mulDiv(

userRemainingPoints,

offerInfo.usedPoints,

Math.Rounding.Floor

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

>>> makerInfo.tokenAddress, // @audit WRONG, crediting collateral token instead of point token

pointTokenAmount

);

}

In this function, ask takers are similarly credited with the collateral token (makerInfo.tokenAddress) instead of the correct point token.

Impact

This vulnerability results in bid offer makers and ask offer takers not receiving the appropriate point tokens

Tools Used

Manual review

Recommendations

The settleAskTaker and closeBidTaker functions should be updated to correctly credit the point token. Below are the suggested code changes:

settleAskTaker:

function settleAskTaker(address _stock, uint256 _settledPoints) external {

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

(

OfferInfo memory offerInfo,

MakerInfo memory makerInfo,

MarketPlaceInfo memory marketPlaceInfo,

MarketPlaceStatus status

) = getOfferInfo(stockInfo.preOffer);

//...

if (settledPointTokenAmount > 0) {

tokenManager.tillIn(

_msgSender(),

marketPlaceInfo.tokenAddress,

true

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

offerInfo.authority,

- makerInfo.tokenAddress,

+ marketPlaceInfo.tokenAddress

settledPointTokenAmount

);

}

// ...

}

closeBidTaker:

function closeBidTaker(address _stock) external {

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

ITokenManager tokenManager = tadleFactory.getTokenManager();

StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

(

OfferInfo memory preOfferInfo,

MakerInfo memory makerInfo,

+ MarketPlaceInfo memory marketPlaceInfo

) = getOfferInfo(stockInfo.preOffer);

// ...

uint256 pointTokenAmount = offerInfo.settledPointTokenAmount.mulDiv(

userRemainingPoints,

offerInfo.usedPoints,

Math.Rounding.Floor

);

tokenManager.addTokenBalance(

TokenBalanceType.PointToken,

_msgSender(),

- makerInfo.tokenAddress,

+ marketPlaceInfo.tokenAddress

pointTokenAmount

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.