Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Bug in settleAskMaker allows offer maker to steal taker's collateral

meeve

Summary

Here is how it should look like

Alice calls createOffer bid in turbo mode with 1000 points for 1000 amount
Bob wants to sell it, so he calls createTaker

and because it's a bid offer, it should be Bob, who settles his stock, by providing the tokens. But there is a bug in this check, probably it was copied from this function settleAskMaker

if (_msgSender() != offerInfo.authority) {

revert Errors.Unauthorized();

}

It is checking if the caller is an offerInfo.authority, but the offer owner is Alice. Bob own the stock, and the stock.authority should be checked in the condition.

Vulnerability Details

Because this is checking if the caller is Alice, she can just call it with _settledPoints = 0. That would be smaller than expected value with would results in transferting Bobs collateral to her.

Impact

Bid offers (which is half of the protcol functionality) are not working because offer takers are no able to settle the stocks
Offer maker can take taker's collateral

Tools Used

Manual Review

Recommendations

Replace offerInfo.authority with stockInfo.authority

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-settleAskTaker-wrong-stock-authority

Valid high severity, when taker offers are created pointing to a `offer`, the relevant `stockInfoMap` offers are created with the owner of the offer aka `authority`, set as the creater of the offer, as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L245). Because of the wrong check within settleAskTaker, it will permanently DoS the final settlement functionality for taker offers for the maker that listed the original offer, essentially bricking the whole functionality of the market i.e. maker will always get refunded the original collateral, and takers will never be able to transact the original points put up by the maker. This occurs regardless of market mode.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.