Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Deposit Calculation Due to Wrong Collateral Rate in listOffer Function

cryptomoon

Summary

The listOfferfunction is used to list Bidstock type using custom collateral rate in protectedmode settlement type. When user tries to list the offer using different collateral rate compared to the collateral rate set by pre-offer of the stock, the function fetches wrong deposit amount based on previous collateral rate.

Vulnerability Details

The listOffer function is currently fetching an incorrect deposit amount due to the use of the wrong collateral rate. This issue arises in the context of offers with a Protected settlement type. The function uses OfferLibraries.getDepositAmount to calculate the deposit, but the collateral rate provided to this function is incorrect. It uses the collateral rate of pre-offer instead of using the collateral rate of what the user is listing the offer with.

https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/PreMarkets.sol#L345-L362

function listOffer(
address _stock,
uint256 _amount,
uint256 _collateralRate
) external payable {
......
/// @dev transfer collateral when offer settle type is protected
if (makerInfo.offerSettleType == OfferSettleType.Protected) {
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate, // issue: should use _collateralRate provided in arguments
_amount,
true,
Math.Rounding.Ceil
);
ITokenManager tokenManager = tadleFactory.getTokenManager();
tokenManager.tillIn{value: msg.value}(
_msgSender(),
makerInfo.tokenAddress,
transferAmount,
false
);
}
.......
/// @dev update offer info
offerInfoMap[offerAddr] = OfferInfo({
id: stockInfo.id,
authority: _msgSender(),
maker: offerInfo.maker,
offerStatus: OfferStatus.Virgin,
offerType: offerInfo.offerType,
abortOfferStatus: AbortOfferStatus.Initialized,
points: stockInfo.points,
amount: _amount,
collateralRate: _collateralRate,
usedPoints: 0,
tradeTax: 0,
settledPoints: 0,
settledPointTokenAmount: 0,
settledCollateralAmount: 0
});

Impact

Due to the above issue, if the takeris listing the offer with higher collateral rate, the offerInfoMapwill list the offer with higher collateral rate but collateral taken from takerwill be less than what needs to be taken. So, the userwho will be buying points from this listedoffer will have wrong impression that the offer have higher collateral deposited. If the taker then doesn't settle the offer, the buyer of points would be able to seize all the taker's collateral by calling closeBidTaker which will be determined at higher collateral rate but collateral deposited by the takerwould be less. This will lead to loss of funds for the protocol.

Tools Used

Manual review

Recommendations

Fix the following in listOfferfunction:

if (makerInfo.offerSettleType == OfferSettleType.Protected) {
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
_collateralRate, // fix: deposit is being made with collateral deposited by user
_amount,
true,
Math.Rounding.Ceil
);
Updates

Lead Judging Commences

0xnevi Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-PreMarkets-listOffer-collateralRate-manipulate

Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.