The system may incorrectly handle excess collateral deposited by users when listing an offer.

The system may incorrectly handle excess collateral deposited by users when listing an offer. Specifically, if a user specifies an amount greater than what they originally offered, this excess collateral could be refunded when the offer is closed, leading to unintended financial loss or misuse of funds.

Proof of Concept (PoC):

Scenario Setup:

​

An ASK Maker creates an offer with createOffer, specifying an initial amount and collateral. then this malicious user calls createTaker to buy some points, and providing some collateral in it

The user then lists the offer using `listOffer`, specifying a different `amount` for the listing, potentially higher than the original offer amount.

The closeOffer function is called to close the offer.

Result:

​

The listOffer function does not validate whether the specified `_amount` is consistent with the original amount that was provided as collateral or if it exceeds it.

When closing the offer, closeOffer calculates a refund based on the listed `amount`, not the original amount. when listing this is how the amount is updated

​

offerInfoMap[offerAddr] = OfferInfo({

id: stockInfo.id,

authority: _msgSender(),

maker: offerInfo.maker,

offerStatus: OfferStatus.Virgin,

offerType: offerInfo.offerType,

abortOfferStatus: AbortOfferStatus.Initialized,

points: stockInfo.points,

amount: _amount,

collateralRate: _collateralRate,

usedPoints: 0,

tradeTax: 0,

settledPoints: 0,

settledPointTokenAmount: 0,

settledCollateralAmount: 0

});

​

As we can see `amount: _amount,` OfferInfo.amount is set to the `_amount` that was added as a parameter

​

If excess collateral `_amount` was specified during listing, this excess amount could be refunded to the user when they call closeOffer. below is how the refund is done when user calls closeOffer.

​

uint256 refundAmount = OfferLibraries.getRefundAmount(

offerInfo.offerType,

offerInfo.amount,

offerInfo.points,

offerInfo.usedPoints,

offerInfo.collateralRate

);

​

Since the offerInfo.amount is now set to the `_amount` that was added as param without validating if the amount is excess, users will get the amount they added as param and malicious users could do this many times to benefit

​

​

Example:

​

A user creates an offer with an amount of 100 units and deposits collateral for this amount.

They later list the offer with an amount of 150 units, adding excess collateral.

When closing the offer, the system refunds collateral based on the 150 units listed, not the 100 units originally offered, allowing the user to receive a refund for the excess amount.

​

RecommendationsCompare `_amount` parameter with the original offer's amount stored in `offerInfo` to make sure it is within the accepted limits.