Summary

In Protected Mode, higher-ranked traders in the settlement process can delay their point settlements until the end of the settlement period, preventing subsequent traders from settling their points, and leading to forced collateral liquidation that cascades down the trading sequence, causing financial loss to subsequent traders.

Vulnerability Details

In Protected Mode, all sellers, whether they are the original or subsequent ones, are required to deposit crypto as collateral. Upon settlement, each seller must transfer tokens to the buyer according to the trading sequence, as outlined in the documentation. Ask-offer settlements occur within a specified windowed period before bidding settlements starts; when the market status is AskSettling.

The issue is that malicious ask-offers higher up in the trading sequence can delay their point settlements until the very end of the settlement period, potentially by front-running updateMarket transactions when the owner sets the TGE event. As a result, traders in the middle of the sequence, who still need to settle points with subsequent traders, may not receive the necessary points in time. This delay prevents them from settling within the designated settlement period, forcing the owner to call settleAskTaker to forcefully settle their offers and subsequent traders trigger the liquidation of collateral through the closeBidTaker function to get refunded with the token points they did not receive:

As seen above, in the Protected Mode, if ask-offers do not settle their points, their collateral will be liquidated and distributed to the offer takers.

This liquidation can cascade down the trading sequence, as subsequent traders who are unable to settle their points will also have their collateral liquidated.

Proof Of Concept

Consider the following example:

1. Alice, the initial market maker, lists 1,000 points for sale at $1 per unit and deposits $1,000 as collateral, **with Protected mode

2. Bob buys 500 points from Alice for $500. This amount is credited to Alice's balance and is available for withdrawal.

3. Bob, now a maker, lists the 500 points he purchased at a price of $1.10 per point and deposits $550 as collateral.

4. Dany buys 500 points from Bob at $1.10 per unit, paying $550. This amount is credited to Bob's balance and is available for withdrawal.

As the owner updates the market and sets the TGE, the market enters the AskSettling period:

1. Alice delays settling her points to Bob until the very end of the settling period.

   • Notice that Bob cannot settle his points to Dany until he receives them from Alice.

2. Bob eventually receives the token points from Alice's settlement but cannot settle them to Dany because the settlement period has ended, and the market has now entered the BidSettling phase.

3. The owner will call settleAskMaker to forcefully settle Bob's offer.

4. Since Dany did not receive the token points from Bob, she calls closeBidTaker to claim a refund from Bob's collateral.

Notice that if Dany herself has points to settle to subsequent traders, the liquidation will continue cascading down through the trading sequence.

Impact

Malicious traders in the trading sequence can delay settling their points until the very end of the settlement period, preventing subsequent traders from settling their points. This leads to the liquidation of collateral for those traders, allowing the malicious traders to cause cascading collateral liquidation.

Tools Used

Manual Review

Recommendations

The root cause of this issue is that settlements must occur according to the trading sequence, which is essential in Protected Mode. To mitigate this risk, one solution could be to implement a settlement period for each trader in the trading sequence. This approach would prevent griefing attacks by ensuring that each trader has an appropriate window to settle their points.