Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Some operations do not verify market status

tigerfrake

Summary

Some functions including closeBidTaker() and abortBidTaker(), do not verify the market status before executing their operations. This oversight can lead to unauthorized actions, potential misuse, and operational inconsistencies.

Vulnerability Details

The protocol is designed to manage various market operations, including closing bid offers, settling ask makers, settling ask takers etc. These operations are highly dependent on the current state of the market. The market status can be one of the following:

UnInitialized
Online
AskSettling
BidSettling
Offline

Each of these statuses represents a specific phase in the market's lifecycle, and certain operations should only be permissible during specific statuses. For example, closing a bid offer should ideally only be allowed when the market is in the BidSettling/AskSettling state.

if (

status != MarketPlaceStatus.AskSettling &&

status != MarketPlaceStatus.BidSettling

) {

revert InvaildMarketPlaceStatus();

}

However, Some functions including closeBidTaker() and abortBidTaker(), do not verify the market status before executing their operations.

function abortBidTaker(address _stock, address _offer) external {

StockInfo storage stockInfo = stockInfoMap[_stock];

OfferInfo storage preOfferInfo = offerInfoMap[_offer];

if (stockInfo.authority != _msgSender()) {

revert Errors.Unauthorized();

}

if (stockInfo.preOffer != _offer) {

revert InvalidOfferAccount(stockInfo.preOffer, _offer);

}

if (stockInfo.stockStatus != StockStatus.Initialized) {

revert InvalidStockStatus(

StockStatus.Initialized,

stockInfo.stockStatus

);

}

if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {

revert InvalidAbortOfferStatus(

AbortOfferStatus.Aborted,

preOfferInfo.abortOfferStatus

);

}

//..snip...

stockInfo.stockStatus = StockStatus.Finished;

emit AbortBidTaker(_offer, _msgSender());

}

Impact

This oversight can lead to unauthorized actions and operational inconsistencies.

Tools Used

Manual Review

Recommendations

Ensure that all functions that depend on the market's state verify the current market status before proceeding with their operations.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-PreMarkets-abortBidTaker-lack-check-abort

Informational, during emergencies, even if abortions are allowed, withdrawal can be paused and collateral cannot be pulled anyways (`whenNotPaused` modifier within `withdraw()`), so there is no impact here, given funds outflow can be paused.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.