Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Marketplace Status Check in `abortBidTaker` Function

brene

Summary

The abortBidTaker function in the PreMarkets contract lacks a critical check to ensure that the marketplace is online before proceeding with the operation. This oversight could lead to potential issues if the market place if offline

Vulnerability Details

The abortBidTaker function does not verify if the marketplace is online before allowing the bid taker to be aborted as seen in the following code;

function abortBidTaker(address _stock, address _offer) external {

StockInfo storage stockInfo = stockInfoMap[_stock];

OfferInfo storage preOfferInfo = offerInfoMap[_offer];

if (stockInfo.authority != _msgSender()) {

revert Errors.Unauthorized();

}

if (stockInfo.preOffer != _offer) {

revert InvalidOfferAccount(stockInfo.preOffer, _offer);

}

if (stockInfo.stockStatus != StockStatus.Initialized) {

revert InvalidStockStatus(

StockStatus.Initialized,

stockInfo.stockStatus

);

}

if (preOfferInfo.abortOfferStatus != AbortOfferStatus.Aborted) {

revert InvalidAbortOfferStatus(

AbortOfferStatus.Aborted,

preOfferInfo.abortOfferStatus

);

}

uint256 depositAmount = stockInfo.points.mulDiv(

preOfferInfo.points,

preOfferInfo.amount,

Math.Rounding.Floor

);

uint256 transferAmount = OfferLibraries.getDepositAmount(

preOfferInfo.offerType,

preOfferInfo.collateralRate,

depositAmount,

false,

Math.Rounding.Floor

);

MakerInfo storage makerInfo = makerInfoMap[preOfferInfo.maker];

ITokenManager tokenManager = tadleFactory.getTokenManager();

tokenManager.addTokenBalance(

TokenBalanceType.MakerRefund,

_msgSender(),

makerInfo.tokenAddress,

transferAmount

);

stockInfo.stockStatus = StockStatus.Finished;

emit AbortBidTaker(_offer, _msgSender());

}

Impact

If the marketplace is offline, aborting a bid taker could lead to inconsistent states or failed transactions. Also lack of marketplace status verification could be exploited by malicious actors to perform unauthorized or unintended operations.

Tools Used

Manual Review

Recommendations

Add a check to verify that the marketplace is online before proceeding with the abort operation. This can be done by retrieving the marketplace status from the system configuration and ensuring it is online.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-PreMarkets-abortBidTaker-lack-check-abort

Informational, during emergencies, even if abortions are allowed, withdrawal can be paused and collateral cannot be pulled anyways (`whenNotPaused` modifier within `withdraw()`), so there is no impact here, given funds outflow can be paused.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.