Collateral for Turbo mode can be less than 100% and still indicate that it is higher
Summary
In turbo mode only original offer creator provides collateral. But takers might list their own offers based on the initial one with different price.
Vulnerability Details
Alice creates offer with 100% collateral.
Bob takes that offer and list his own for 5 times bigger price.
Some people are taking it.
Impact
Offer collateral is copied, which means that Bob's offer will be showing as it has 100% collateral, but in reality it's only 20%
If Alice won't make the settlement, collateral would't serve it's purpose and people would lose their money.
! IMPORTANT !
It may be the case that Alice and Bob are the same person on two different wallets and are trying to abuse the system by providing much less collateral than they should. They can secure any number of points for as little as 1 USDC,
and of course they will not make any settlements later
Tools Used
Manual Review
Recommendations
Enfore minimal collateral of 100% even for takers creating their own offers.
Lead Judging Commences
finding-PreMarkets-listOffer-collateralRate-manipulate
Valid high severity, because the collateral rate utilized when creating an offer is stale and retrieved from a previously set collateral rate, it allows possible manipilation of refund amounts using an inflated collateral rate to drain funds from the CapitalPool contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.