Wrong balance update of takers after the settlement
Summary
After the settlement, the taker instead of receiving marketPlaceInfo.tokenAddress, they receive makerInfo.tokenAddress. So, the balance of the Taker is updated incorrectly.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L198
Vulnerability Details
Suppose Alice, a market maker, lists 1000 points for sale at $1, and deposits $1.2 as collateral (assuming the collateral rate is 12000, equivalent to 120%). She does so by calling the function
createOffer.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L39Bob, a market taker, purchases 1000 points from Alice for $1. He does so by calling
createTaker.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L164During the market update and TGE, the owner sets the
marketPlaceInfo.tokenPerPointequal to1.1, by calling the functionupdateMarket.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/SystemConfig.sol#L120Alice calls
settleAskMakerto settle the trade. Thus, Alice will providemarketPlaceInfo.tokenAddressto the pool, and then she would be able to withdraw her collateral.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L222Bob now should be able to take some amount of
marketPlaceInfo.tokenAddressbased on the number of points bought from Alice. So, he calls the functioncloseBidTaker.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L96It is expected that the mapping
userTokenBalanceMap[Bob][marketPlaceInfo.tokenAddress][TokenBalanceType.PointToken]be equal to1000 * 1.1 = 1100, but it is equal to zero by mistake. Because, when adding the token balance to Bob, it is added to the balance ofmakerInfo.tokenAddress(which is the collateral token), notmarketPlaceInfo.tokenAddress. In other words, by mistake we haveuserTokenBalanceMap[Bob][makerInfo.tokenAddress][TokenBalanceType.PointToken] = 1000 * 1.1 = 1100.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L198
This means that Bob can now withdraw 1100 USDC instead of 1100
marketPlaceInfo.tokenAddress. This is implemented incorrectly. If 1100 USDC worth more than 1100marketPlaceInfo.tokenAddress, Bob gained, otherwise he loses.
PoC
In the following test, it is implementing the exact scenario above .
The output is:
Impact
Wrong balance update of takers after the settlement
Tools Used
Recommendations
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/DeliveryPlace.sol#L198
Lead Judging Commences
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Appeal created
finding-DeliveryPlace-settleAskTaker-closeBidTaker-wrong-makerinfo-token-address-addToken-balance
Valid high severity, In `settleAskTaker/closeBidTaker`, by assigning collateral token to user balance instead of point token, if collateral token is worth more than point, this can cause stealing of other users collateral tokens within the CapitalPool contract, If the opposite occurs, user loses funds based on the points they are supposed to receive
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.