Incorrect Validation of `eachTradeTax` Allows `100%` Tax Rate
Summary
The createOffer() function in the PreMarkets contract requires that eachTradeTax be less than 100% as specified in this comment.
However, the current implementation only checks if params.eachTradeTax is greater than 10000, allowing it to be exactly 10000, which violates the requirement.
Vulnerability Details
Issue:
The check only reverts if params.eachTradeTax is strictly greater than 10000. This allows params.eachTradeTax to be exactly 10000, which is 100%.
Impact
Financial Risk:
Allowing eachTradeTax to be 100% can lead to scenarios where the entire amount involved in a trade is taken as tax, leaving no value for the participants. This can cause significant financial losses.
Tools Used
Manual Review
Recommendations
Update the check to ensure params.eachTradeTax is strictly less than 10000.
Lead Judging Commences
finding-PreMarkets-off-by-one-Trade-TAX-100%
Similar to issue #1323, Despite this off-by-one error of the intended check, the difference between 99% and 100% is minimal, so I believe whether or not 100% is allowed has minimal impact. Ultimately, takers should not be realistically creating offer with such tradeTax
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.