Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`DeliveryPlace::closeBidTaker`, allows users to acquire extra tokens from `CapitalPool`

radin100

Summary

If taker has bidOrder that corresponds with aborted AskOffer, nothing stops him from calling DeliveryPlace::closeBidTaker and gain more tokens than expected from PreMarkets::abortBidTaker

Vulnerability Details

Let's have a scenario where Alice has askOffer and Bob has bidOrder:

Alice calls PreMarkets::createOffer, to create her askOffer and deposits A * CollateralRatio amount of tokens
Bob calls PreMarkets::createTaker, to create a bidOrder corresponding to Alice's offer and deposits B amount of tokens that goes to Alice's withdrawable balance
After some time Alice manages ot abort her offer with PreMarkets::aborAskOffer, which sets her offers' AbortOfferStatus to Aborted and OfferStatus to Settled, and increases her withdrawable balance by A * CollateralRatio - B
Now to reset all balances Bob should be able to withdraw B amount of tokens with PreMarkets::abortBidTaker, but unexpectedly he is also able to call DeliveryPlace::closeBidOffer and increase his withdrawable balance by B * CollateralRatio, which makes him able to steal more B * (CollateralRatio - 1) tokens from CapitalPool

Note that for simplicity in this scenario Alice doesn't close her offer, before abort it

Impact

Loss of funds for users who manage to withdraw their tokens, due to not enough quantity in CapitalPool

Tools Used

Manual review

Recommendations

function closeBidTaker(address _stock) external {

IPerMarkets perMarkets = tadleFactory.getPerMarkets();

ITokenManager tokenManager = tadleFactory.getTokenManager();

StockInfo memory stockInfo = perMarkets.getStockInfo(_stock);

if (stockInfo.preOffer == address(0x0)) {

revert InvalidStock();

}

if (stockInfo.stockType == StockType.Ask) {

revert InvalidStockType();

}

if (_msgSender() != stockInfo.authority) {

revert Errors.Unauthorized();

}

(

OfferInfo memory preOfferInfo,

MakerInfo memory makerInfo,

) = getOfferInfo(stockInfo.preOffer);

+ if(preOfferInfo.abortOfferStatus == AbortOfferStatus.Aborted) revert();

....

}

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-closeBidTaker-lack-check-abort-status-drain

Valid high, for unsettled ask offers by the original maker, the initial remaining maker collateral is already refunded as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L624-L629)

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.