Any market taker with his own ask offer listed in turbo mode might call settleAskMaker, which would lead to stealing proctol found
Summary
Alice creates offer ask offer in turbo mode with 10_000 points for 10_000 USDC, collateralRatio 300%.
Mark calls
createTakerfor 10_000 points and thenlistOfferwith 5_000 points.All his points are sold.
Tokens are released, so Alice calls
settleAskMaker, so everyone are ready to fetch their points.Mike calls
closeBidTakerto get his portion of points ( 5_000 ).Market token prices drops very low.
Mike calls
settleAskMaker, where he sends 5_000 and retrieve the collateral worth of (5_000 * 300% = 15_000)
Vulnerability Details
That last action called my Mike should not be possible. For protection mode, every offer should be settled by his owner. That way everyone could collect their collateral. But for the Turbo mode, settlement is done only by the initial offer creator.
So it should be blocked for any others.
Impact
The market token price doesn't even have to fail. It is enough if it is lower than the collateral, which will almost always be the case. And then Mike will be able to abuse the system, which means stealing money from it.
Tools Used
Manual Review
Recommendations
This check should be present in settleAskMaker
Lead Judging Commences
finding-Premarkets-listOffer-turbo-settleAskMaker-exploit-settlement
Valid high severity, this allows resellers listing offers via `listOffer/relistOffer` to game the system. Based on the inherent design of Turbo mode not requiring takers making ask offers for the original maker offer to deposit collateral, the wrong refund of collateral to takers even when they did not deposit collateral due to turbo mode during settleAskMaker allows possible draining of pools.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.