Tadle

Summary

When a seller aborted the offer, the buyer has to call the abortBidTaker function to get back his tokens. But the buyer can call the closeBidTaker function instead of abortBidTaker to steal the collateral tokens from the pool.

Vulnerability Details

Note that when abortAskOffer is called by the seller, the offer's status is set to settled.

Also, if we look at the closeBitTaker function, it only checks that the offer is settled but doesn't check for the abortOfferStatus:

Which means the buyer whose seller has aborted the offer can still call this, because the offer's status is setteled and the functions doesn't check for the offer's abortStatus.

Example-

• Alice create an offer to sell 1000 points for 1000 USDC with 200% collateral rate, Alice sends 2000 USDC to the pool as collateral.

• Bob buys Alice's points, Bob has a buy stock with points = 1000 and send 1000 USDC to Alice.

• Alice abort the sell offer by calling abortAskOffer, gets back 1000 USDC, Alice fully recovered her collateral.

• Now Bob has to call abortBidTaker to get back the 1000 USDC he spent since the Alice doesn't want to sell it anymore.

• But Bob decides to call closeBidTaker instead of abortBidTaker, which will assume the buyer is cloaing his bid and the seller did not settle any points and will send back the whole collateral i.e. 2000 USDC.

• Bob gets 2000 USDC when he should be given 1000 USDC. This is because he is allowed to close his bid even when the seller aborted the sell offer.

This can also be done by an attacker where the seller and the buyer is himself and using flash loans the attack amount can be increased upto any amount the attacker wants to.

Impact

Direct loss of funds

Tools Used

manual

Recommendations

add this check in the closeBitTaker function: