**Severity**: medium
**Impact**: Significant
**Likelihood**: medium
---
#### **Description**
The Tadle protocol currently does not enforce a minimum collateral requirement for users creating offers. This allows users to create a large nAudit Report: Collateral Insufficiency Issue in Tadle Protocolumber of offers with minimal collateral, potentially leading to system abuse.
**Issue Identification**:
Our testing revealed that users can create numerous offers with negligible amounts of collateral. The test function below confirms this vulnerability:
```solidity
function test_user_creates_many_offers_with_small_amounts() public {
vm.startPrank(user);
uint256 amount = 0.0000000001 * 1e18; // Very small collateral amount
uint256 pointsToOffer = 1;
uint256 collateralRate = 10_000;
uint256 pricePerToken = (amount) / (pointsToOffer * collateralRate);
// Start listening for the CreateOffer event
vm.recordLogs();
// Create 1000 offers
for (uint256 i = 0; i < 1000; i++) {
preMarktes.createOffer{ value: amount }(
CreateOfferParams(
marketPlace,
address(weth9),
pointsToOffer,
pricePerToken,
collateralRate,
300,
OfferType.Ask,
OfferSettleType.Turbo
)
);
}
// Get the recorded logs
Vm.Log[] memory entries = vm.getRecordedLogs();
// Counter to track the number of CreateOffer events
uint256 createOfferCount = 0;
// Find and parse the 550th CreateOffer event
for (uint256 i = 0; i < entries.length; i++) {
Vm.Log memory entry = entries[i];
// Check if the event signature matches CreateOffer
if (entry.topics[0] == keccak256("CreateOffer(address,address,address,address,address,uint256,uint256)")) {
createOfferCount++;
// Check if this is the 550th event
if (createOfferCount == 550) {
// Decode the event data
(address stockAddr, address msgSender, uint256 points, uint256 amount) =
abi.decode(entry.data, (address, address, uint256, uint256));
console.log("550th Offer Created:");
console.log("Points", points);
console.log("Amount", amount);
console.log("CollateralRate", collateralRate);
assert(points == pointsToOffer);
assert(amount == pricePerToken);
break;
}
}
}
vm.stopPrank();
}
```
The terminal output:
```
├─ [0] console::log("550th Offer Created:") [staticcall]
│ └─ ← [Stop]
├─ [0] console::log("Points", 1) [staticcall]
│ └─ ← [Stop]
├─ [0] console::log("Amount", 10000 [1e4]) [staticcall]
│ └─ ← [Stop]
├─ [0] console::log("collateralRate", 10000 [1e4]) [staticcall]
│ └─ ← [Stop]
├─ [0] VM::stopPrank()
│ └─ ← [Return]
└─ ← [Stop]
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 188.30ms (184.79ms CPU time)
Ran 1 test suite in 1.92s (188.30ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)
---
#### **Recommendations**
**Minimum Collateral Requirement**: Implement a minimum collateral requirement for creating offers to prevent users from flooding the system with offers at minimal cost.
---
**Conclusion**: The lack of minimum collateral requirements in the Tadle protocol poses a significant risk, enabling abuse and potentially affecting the integrity and performance of the system. Implementing the recommended changes will help mitigate these risks and improve system resilience.
```