Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Incomplete design of `fixedRatio` makes settling process impossible if market's fixed ratio was set to true upon creation

0xbrivan2

Vulnerability Details

When creating a marketplace, the owner sets the fixed ratio for the market:

function createMarketPlace(
string calldata _marketPlaceName,
bool _fixedratio
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
_marketPlaceName
);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[
marketPlace
];
if (marketPlaceInfo.status != MarketPlaceStatus.UnInitialized) {
revert MarketPlaceAlreadyInitialized();
}
marketPlaceInfo.status = MarketPlaceStatus.Online;
marketPlaceInfo.fixedratio = _fixedratio;
emit CreateMarketPlaceInfo(_marketPlaceName, marketPlace, _fixedratio);
}

Once the market is created, the fixedratio cannot be updated. Offer makers can list their offers, and trading activities can proceed regardless of the fixedratio value. However, during the settlement period, if the marketplace's fixedratio is set to true, point settlements become impossible, as seen in DeliveryPlace::settleAskTaker and DeliveryPlace::settleAskMaker:

function settleAskMaker(address _offer, uint256 _settledPoints) external {
// ...
if (marketPlaceInfo.fixedratio) {
revert FixedRatioUnsupported();
}
// ...
}
function settleAskTaker(address _stock, uint256 _settledPoints) external {
// ...
if (marketPlaceInfo.fixedratio) { // audit-danger fixedRatio
revert FixedRatioUnsupported();
}
// ...
}

The above code reveals a contradiction in the protocol's behavior. On one hand, the protocol permits trading activities in markets where fixedratio is set to true, but on the other hand, it neither offers a possibility for the owner to update the fixedratio to false nor permits the settlement of points when fixedratio is true.

Impact

If a marketplace's fixedratio is set to true upon creation, settlement of points becomes impossible, leading to several issues:

  1. Token points cannot be settled, preventing bid offer makers and ask offer takers from receiving their token points.

  2. Ask makers and bid takers will lose their collateral since they are unable to settle the points.

Tools Used

Manual Review

Recommendations

There is an inconsistency in the functionality of the fixedratio. Below are some suggested approaches to address this issue:

  1. Allow the owner to update the fixedratio to false in SystemConfig::updateMarket, to enable settlements under the current implementation.

  2. If fixedratio is not supported in the current version, prevent the owner from setting fixedratio to true when creating the market.

  3. If fixedratio is intended to be supported, implement the necessary logic in DeliveryPlace::settleAskTaker and DeliveryPlace::settleAskMaker to handle cases where fixedratio is set to true.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

[invalid] finding-SystemConfig-fixed-ratio

Invalid, design decision, this is decided when market place is created. If a fixed ratio market place is allowed, then admin can simply create a new market place to cater to that in which manual arbitrartion is required instead of allowing settlements by makers, as noted in comments [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L88)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.