User could list offer without depositing collateral
Summary
When offerSettleType is turbo, subsequent taker can still list their offer after maker has closedOffer and removed his collateral resulting on collateral-free listing for maker and subsequent taker
Vulnerability Details
When offerSettleType is turbo, only the maker deposit collateral when creating offers, subsequent user that buys stocks using createTaker with his offer address as _offer, don't pay for collateral when listing their point via listOffer
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L335-L343
Due to lack to check to see if maker's collateral is still present in the protocol in listOffer when offerSettleType is turbo
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L335-343
other subsequent taker can still list offer after maker has removed his collateral by calling closeOffer from the protocol, meaning they listed their offer without any collateral backing it.
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L406-460
Malicious maker can take advantage of this by
Creating offer via createOffer function
Buying point from himself by calling CreateTaker and passing his previous offer address as _offer
Withdrawing his collateral by calling closeOffer
Listing all stocks point he bought with createTaker for free without any collateral backing it
Impact
In turbo offerSettleType, User could list offer without depositing collateral
Tools Used
Manual review
Recommendations
Check should be added to the list offer to check if maker collateral is present in the protocol or not
Lead Judging Commences
finding-Premarkets-listOffer-turbo-settleAskMaker-exploit-settlement
Valid high severity, this allows resellers listing offers via `listOffer/relistOffer` to game the system. Based on the inherent design of Turbo mode not requiring takers making ask offers for the original maker offer to deposit collateral, the wrong refund of collateral to takers even when they did not deposit collateral due to turbo mode during settleAskMaker allows possible draining of pools.
Appeal created
finding-Premarkets-listOffer-lack-check-abort-relist
Leaving high severity for now but will leave open for appeals. Technically, users can choose not to transact this type offers if they are aware of such undercollaterized relisted offers, in which case it will have no impact. However, if subsequent takers transact this relisted offers, this can allow profits without having to settle any points.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.