Tadle

Summary

The createOffer function in the PreMarktes contract is susceptible to a reentrancy attack. This vulnerability arises because the function transfers tokens using tokenManager.tillIn before updating crucial state variables, allowing a malicious contract to re-enter the function and potentially exploit the system.

Vulnerability Details

The createOffer function follows this sequence of operations:

1. It performs various checks and calculations.

2. It transfers tokens to the capital pool using tokenManager.tillIn.

3. It updates the state variables makerInfoMap, offerInfoMap, and stockInfoMap.

The critical issue is that the token transfer occurs before the state updates. This creates a window of opportunity for a reentrancy attack. A malicious contract, acting as the tokenManager, could re-enter the createOffer function during the tillIn call. In this reentrant call, the attacker could potentially:

• Create multiple offers using the same transferred tokens, effectively multiplying their position without providing additional collateral.

• Manipulate other state variables within the contract, leading to unexpected behavior or financial losses.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L39-L157

Impact

An attacker could exploit this vulnerability to create multiple offers with the same funds, potentially leading to significant financial losses for the platform or its users.

Tools Used

Manual review

Recommendations

Follow the Checks-Effects-Interactions Pattern: Restructure the createOffer function to follow the checks-effects-interactions pattern:

• Checks: Perform all necessary input validation and checks at the beginning of the function.

• Effects: Update the contract's state variables (e.g., makerInfoMap, offerInfoMap, stockInfoMap).

• Interactions: Perform external calls like tokenManager.tillIn after the state updates.