Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

_marketPlaceName may be duplicated

canbooo

Summary

In SystemConfig.sol https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L87

/**
* @notice Create market place
* @param _marketPlaceName Market place name
* @param _fixedratio Fixed ratio
* @notice Caller must be owner
* @notice _marketPlaceName must be unique
* @notice _fixedratio is true if the market place is arbitration required
*/
function createMarketPlace(
string calldata \_marketPlaceName,
bool \_fixedratio
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(
\_marketPlaceName
);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap\[
marketPlace
];
if (marketPlaceInfo.status != MarketPlaceStatus.UnInitialized) {
revert MarketPlaceAlreadyInitialized();
}
marketPlaceInfo.status = MarketPlaceStatus.Online;
marketPlaceInfo.fixedratio = _fixedratio;
emit CreateMarketPlaceInfo(_marketPlaceName, marketPlace, _fixedratio);
}

As _marketPlaceName must be uniqe but there is no function that directly checks this condition. 'keccak256' creates address and it is low that it produces same hash but never zero. So we must add uniqueness check.

Vulnerability Details

There is a low chance that 'keccak256' can produce same hash. To eliminate that possibility, additional checks can be done.

Impact

Creating multiple marketplaces with the same name _marketPlaceName can lead to financial errors, such as users accidentally sending money to the wrong marketplace. This can result in fraud or user losses.

Tools Used

Manual

Recommendations

To ensure the uniqueness of addresses in the createMarketPlace function, additional checks are required. A map can be used to verify whether the address generated by generateMarketPlaceAddress has been used before.
Here is an example:

+ mapping(address => bool) private existingMarketPlaces;
function createMarketPlace(
string calldata _marketPlaceName,
bool _fixedratio
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(_marketPlaceName);
+ require(!existingMarketPlaces[marketPlace], "Market place name must be unique");
+ existingMarketPlaces[marketPlace] = true;
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[marketPlace];
if (marketPlaceInfo.status != MarketPlaceStatus.UnInitialized) {
revert MarketPlaceAlreadyInitialized();
}
marketPlaceInfo.status = MarketPlaceStatus.Online;
marketPlaceInfo.fixedratio = _fixedratio;
emit CreateMarketPlaceInfo(_marketPlaceName, marketPlace, _fixedratio);
}

This additional check ensures that the same address has not been created before, thereby maintaining the uniqueness of marketplace names.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-SystemConfigcreateMarketPlace-unique

Invalid, admins trusted to create marketplaces accordingly with appropriate inputs, as stated in READ.ME. If they do, there will be no issues.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.