Ch_301 - The owner won't be able to create two Market with the same token ,strike and different ERC20 for deposit

[sherlock-admin]

Ch_301

medium

The owner won't be able to create two Market with the same token ,strike and different ERC20 for deposit

Summary

One of the changes compared to V1.
deposit asset can be any erc20

Vulnerability Detail

On createNewCarouselMarket()
The owner can't create two markets for the same token and strike with different underlyingAsset

e.g. in case there is a Market with token == x ,striek == y and underlyingAsset == WETH.
The owner won't be able to create another Market with token == x ,striek == y and underlyingAsset == e.g.USDC

Impact

The owner won't be able to create two Market with the same token ,strike and different ERC20 for deposit

Code Snippet

Tool used

Manual Review

Recommendation

    function createNewCarouselMarket(
        CarouselMarketConfigurationCalldata memory _marketCalldata
    )
        external
        onlyOwner
        returns (
            address premium,
            address collateral,
            uint256 marketId
        )
    {
        if (!controllers[_marketCalldata.controller]) revert ControllerNotSet();
        if (_marketCalldata.token == address(0)) revert AddressZero();
        if (_marketCalldata.oracle == address(0)) revert AddressZero();
        if (_marketCalldata.underlyingAsset == address(0)) revert AddressZero();

        if (tokenToOracle[_marketCalldata.token] == address(0)) {
            tokenToOracle[_marketCalldata.token] = _marketCalldata.oracle;
        }
-    marketId = getMarketId(_marketCalldata.token, _marketCalldata.strike);
+    marketId = getMarketId(_marketCalldata.token, _marketCalldata.strike, _marketCalldata.underlyingAsset);

[3xHarry]

this makes sense

[3xHarry]

fix PR: Y2K-Finance/Earthquake#135

[twicek]

Escalate for 10 USDC

This issue will never lead to a loss of funds because it is doesn't allow for creating a market in the first place in a specific case. As such, I think it should be considered low severity.

Additionally, the documentation says:

• User experience and design improvement issues: Issues that cause minor inconvenience to users where there is no material loss of funds are not considered valid. Funds are temporarily stuck and can be recovered by the administrator or owner. Also, if a submission is a design opinion/suggestion without any clear indications of loss of funds is not a valid issue.

Neither this issue nor the duplicates succeed to show any clear indications of loss of funds.

[sherlock-admin]

Escalate for 10 USDC

This issue will never lead to a loss of funds because it is doesn't allow for creating a market in the first place in a specific case. As such, I think it should be considered low severity.

Additionally, the documentation says:

• User experience and design improvement issues: Issues that cause minor inconvenience to users where there is no material loss of funds are not considered valid. Funds are temporarily stuck and can be recovered by the administrator or owner. Also, if a submission is a design opinion/suggestion without any clear indications of loss of funds is not a valid issue.

Neither this issue nor the duplicates succeed to show any clear indications of loss of funds.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Escalation accepted

Valid low
Based on the above comments the impact of this issue is a valid low as there is no loss of funds or breaking of any core functionality.

[sherlock-admin]

Escalation accepted

Valid low
Based on the above comments the impact of this issue is a valid low as there is no loss of funds or breaking of any core functionality.

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.