Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

`PreMarkets.listOffer()` doesn't check if `_amount` to be larger than `stockInfo.amount`.

jsmi

Summary

PreMarkets.listOffer() doesn't check if _amount to be larger than stockInfo.amount.
This can cause the protocol insolvency in the Turbo mode.

Vulnerability Details

The relavance code of listOffer() is following.

function listOffer(
address _stock,
uint256 _amount,
uint256 _collateralRate
) external payable {
300: if (_amount == 0x0) {
revert Errors.AmountIsZero();
}
... SKIP ...
/// @dev change abort offer status when offer settle type is turbo
if (makerInfo.offerSettleType == OfferSettleType.Turbo) {
address originOffer = makerInfo.originOffer;
OfferInfo memory originOfferInfo = offerInfoMap[originOffer];
if (_collateralRate != originOfferInfo.collateralRate) {
revert InvalidCollateralRate();
}
originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;
}
... SKIP ...
}

As shown above, listOffer() doesn't check if _amount to be larger than stockInfo.amount on L300.
In addition, listOffer() doesn't deposit collateral to the protocol in Turbo mode.
Therefore, if attacker set _amount large than stockInfo.amount, the protocol will be insolvency during settling period.

Impact

This issue can cause the protocol insolvency during settling period in the Turbo mode.

Code Snippet

Tools Used

Manual Review

Recommendations

It is recommended to add the additional check on _amount parameter.

function listOffer(
address _stock,
uint256 _amount,
uint256 _collateralRate
) external payable {
- if (_amount == 0x0) {
+ if (_amount == 0x0 && _amount <= stockInfo.amount) {
revert Errors.AmountIsZero();
}
... SKIP ...
}
Updates

Lead Judging Commences

jsmi Submitter
about 1 year ago
0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.