Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

DeliveryPlace allows askMaker to steal tokens from CapitalPool if the offer is Turbo and not origin

radin100

Summary

Maker who owns AskOffer type Turbo (not origin), after tge he can call DeliveryPlace::settleAskMaker and increase his withdrawable balance in CapitalPool

Vulnerability Details

Firstly Bob chooses any Turbo askOffer and calls createTaker, to make a Turbo bidOrder
Then Bob calls PreMarkets::listOfferto make his askOffer corresponding to his Turbo bidOrder
Now after the tge Bob will be able to call DeliveryPlace::settleAskMaker, deposit X amount of tokens that should be enough for _settledPoints == offerInfo.usedPoints check to pass and finally his withdrawable amount from CapitalPoolwill be increased by X * CollateralRatio, which basically allows him to steal X * (CollateralRatio - 1)amount of tokens from CapitalPool

Impact

Loss of funds for users, due to not enough quantity in CapitalPool

Tools Used

Manual review

Recommendations

function settleAskMaker(address _offer, uint256 _settledPoints) external {

(

OfferInfo memory offerInfo,

MakerInfo memory makerInfo,

MarketPlaceInfo memory marketPlaceInfo,

MarketPlaceStatus status

) = getOfferInfo(_offer);

if (_settledPoints > offerInfo.usedPoints) {

revert InvalidPoints();

}

if (marketPlaceInfo.fixedratio) {

revert FixedRatioUnsupported();

}

if (offerInfo.offerType == OfferType.Bid) {

revert InvalidOfferType(OfferType.Ask, OfferType.Bid);

}

if (

offerInfo.offerStatus != OfferStatus.Virgin &&

offerInfo.offerStatus != OfferStatus.Canceled

) {

revert InvalidOfferStatus();

}

+ if(offerInfo.offerType == OfferType.Turbo && makerInfo.originOffer != _offer) revert();

....

}

Updates

Lead Judging Commences

0xnevi Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-Premarkets-listOffer-turbo-settleAskMaker-exploit-settlement

Valid high severity, this allows resellers listing offers via `listOffer/relistOffer` to game the system. Based on the inherent design of Turbo mode not requiring takers making ask offers for the original maker offer to deposit collateral, the wrong refund of collateral to takers even when they did not deposit collateral due to turbo mode during settleAskMaker allows possible draining of pools.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.