Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Check for Settlement Period in `SystemConfig::updateMarket` Function

pro_king

Description

The SystemConfig::updateMarket function, which is responsible for updating the market information after the settlement period has passed, lacks a validation check to ensure that the settlement period has indeed elapsed. The function can be invoked at any time by the owner, potentially leading to its execution during an ongoing trade or before the intended settlement period has concluded. This oversight can cause premature updates to the marketplace, which may disrupt active trades or result in unintended consequences for users.

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(_marketPlaceName);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[marketPlace];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(_marketPlaceName, marketPlace, _tokenAddress, _tokenPerPoint, _tge, _settlementPeriod);
}

Impact

The absence of a check for the settlement period can have several adverse impacts:

  1. Premature Market Updates: The function could be executed before the settlement period ends, leading to inconsistencies in the marketplace.

  2. Disrupted Trades: If the market is updated during an active trade, it could lead to unexpected behavior or disrupt the trading process.

  3. User Trust: Users might lose trust in the platform if they experience issues due to premature or incorrect market updates.

Tools Used

Manual Review

Recommendations

Implement a validation check within the SystemConfig::updateMarket function to ensure that the settlement period has passed before allowing the update to proceed. This can be done by comparing the current block timestamp with the sum of the Token Generation Event (TGE) timestamp and the settlement period.

function updateMarket(
string calldata _marketPlaceName,
address _tokenAddress,
uint256 _tokenPerPoint,
uint256 _tge,
uint256 _settlementPeriod
) external onlyOwner {
address marketPlace = GenerateAddress.generateMarketPlaceAddress(_marketPlaceName);
MarketPlaceInfo storage marketPlaceInfo = marketPlaceInfoMap[marketPlace];
if (marketPlaceInfo.status != MarketPlaceStatus.Online) {
revert MarketPlaceNotOnline(marketPlaceInfo.status);
}
+ if (block.timestamp < marketPlaceInfo.tge + marketPlaceInfo.settlementPeriod) {
+ revert SettlementPeriodNotPassed();
+ }
marketPlaceInfo.tokenAddress = _tokenAddress;
marketPlaceInfo.tokenPerPoint = _tokenPerPoint;
marketPlaceInfo.tge = _tge;
marketPlaceInfo.settlementPeriod = _settlementPeriod;
emit UpdateMarket(_marketPlaceName, marketPlace, _tokenAddress, _tokenPerPoint, _tge, _settlementPeriod);
}
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-Admin-Errors-Malicious

The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.