Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Permanent DOS to User who wants to List their Offer after Taking an offer

bigsam

Summary

A Denial of Service (DOS) vulnerability has been identified in the `OfferSettleType.Turbo` implementation. This issue prevents users from listing their purchased tokens at prices above the market rate, contradicting the intended functionality as described in the documentation. As a result, users are unable to list their tokens as desired, leading to a restricted user experience.

Vulnerability Details

According to the implementation and the documentation, users should be able to purchase tokens for a certain price (e.g., $1) and list them for a higher price (e.g., $1.10 or $2), regardless of the `OfferSettleType`. The documentation explicitly mentions:

> **"Step 5: Select Collateral Rate: Depending on Mode type, you can set a dynamic collateral option."**

https://tadle.gitbook.io/tadle/product/points-marketplace/sell-points#:~:text=Step 5%3A,dynamic collateral option.

However, the current implementation includes the following check:

/**

* @notice list offer

* @param _stock stock address

* @param _amount the amount of offer

* @param _collateralRate offer collateral rate

* @dev Only stock owner can list offer

* @dev Market place must be online

* @dev Only ask offer can be listed

function listOffer(

address _stock,

uint256 _amount,

uint256 _collateralRate

) external payable {

if (_amount == 0x0) {

revert Errors.AmountIsZero();

}

if (_collateralRate < Constants.COLLATERAL_RATE_DECIMAL_SCALER) {

revert InvalidCollateralRate();

}

StockInfo storage stockInfo = stockInfoMap[_stock];

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

OfferInfo storage offerInfo = offerInfoMap[stockInfo.preOffer];

MakerInfo storage makerInfo = makerInfoMap[offerInfo.maker];

/// @dev market place must be online

ISystemConfig systemConfig = tadleFactory.getSystemConfig();

MarketPlaceInfo memory marketPlaceInfo = systemConfig

.getMarketPlaceInfo(makerInfo.marketPlace);

marketPlaceInfo.checkMarketPlaceStatus(

block.timestamp,

MarketPlaceStatus.Online

);

if (stockInfo.offer != address(0x0)) {

revert OfferAlreadyExist();

}

if (stockInfo.stockType != StockType.Bid) {

revert InvalidStockType(StockType.Bid, stockInfo.stockType);

}

/// @dev change abort offer status when offer settle type is turbo

if (makerInfo.offerSettleType == OfferSettleType.Turbo) {

address originOffer = makerInfo.originOffer;

OfferInfo memory originOfferInfo = offerInfoMap[originOffer];

@Audit>> we cannot set a new Price/Collateral Rate>>> if (_collateralRate != originOfferInfo.collateralRate) {

revert InvalidCollateralRate();

}

originOfferInfo.abortOfferStatus = AbortOfferStatus.SubOfferListed;

}

This code prevents users who purchase a Turbo offer from listing their tokens above the market price, as the function will revert if the `collateralRate` differs from the original offer. This restriction effectively leads to a Denial of Service (DOS) for users who wish to list their tokens at a different price, as they are unable to do so.

Impact

This vulnerability restricts users from listing their tokens at desired prices, directly contradicting the intended functionality outlined in the documentation. As a result, users are denied service, potentially leading to dissatisfaction and a loss of trust in the platform. Additionally, this limitation can hinder market dynamics, as users are unable to participate fully in price-setting.

Tools Used

- Manual code review

Recommendations

To mitigate this issue, it is recommended to remove or modify the part of the code that enforces the collateral rate check. Users should be allowed to list their tokens at any collateral rate they desire, in line with the flexibility described in the documentation.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance

Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.