Makers Unable to Retrieve Remaining Collateral Funds When Offer Is Not Closed Before Market Update
Summary
In the Tadle protocol's PreMarkets.sol and DeliveryPlace.sol contracts, makers are unable to retrieve their remaining collateral funds if they do not close their offer before the market is updated. This issue specifically arises when the maker either never settles the offer or does not settle it sufficiently. In such cases, the remaining collateral funds become inaccessible due to the dependency on the offer's closure before a market update.
Vulnerability Details
The issue occurs because the functions responsible for handling collateral funds (e.g., settleAskMaker and closeBidTaker) depend on the offer being settled and closed by the maker. If the maker fails to close the offer before a market update, specifically when they either never settle the offer or do not settle it sufficiently, the remaining collateral funds that should be available to the maker are not accessible.
This scenario is problematic, as it relies on the maker's timely action to both settle and close the offer. If the market is updated before the maker closes the offer, the system does not provide a mechanism to access the remaining collateral funds, leading to a financial loss for the maker.
Impact
Makers lose access to their remaining collateral funds if they fail to settle and close their offer before a market update. This can lead to financial loss and negatively impact the maker's experience within the platform. This behavior could result in user dissatisfaction and a lack of trust in the platform's ability to manage funds correctly.
Proof of Concept
This is the test code.
The result of this code is like this.
Before updating market, the maker (user) payed 0.012 ether for collateral and the taker (user1) payed 0.005175 ether for sales and fee. After settlement of offer, the taker get 0.006 ether for collateral. And the maker get 0.005 ether for sales and 0.00015 for maker bonus. But two users both didn't get remaining 0.006 ether collateral.
Tools Used
Manual code review
Recommendations
Modify the contract logic to ensure that remaining collateral funds are accessible even if the offer is not closed before a market update, particularly in cases where the offer is not fully settled.
Lead Judging Commences
[invalid] finding-DeliveryPlace-owner-do-not-call-settleAskMaker
Invalid, the makers are incentivized to settle offers to earn maker bonuses when subsequent takers and makers make trade using the original collateral put up for points as well as get back their initial collateral. Additionally, if they do not settle on time, they will lose all their initial collateral, forcing the `owner` to come in and perform the settlement and retrieving that collateral. This is noted as a design decision [here](https://tadle.gitbook.io/tadle/how-tadle-works/features-and-terminologies/settlement-and-collateral-rate) If all else fails, the `owner` can come in to settle as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L254-L256) and [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/DeliveryPlace.sol#L365-L367) offers to allow closing offers and subsequently allowing refunds. I acknowledge that perhaps a more decentralized
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.