Description

When creating a market, the user can set the address of the callback contract that will process transfers of the owner's tokens. To do this, the user should be whitelisted, but deploying the callback contract is not under control by project contract. Therefore, it is not guaranteed that the user will specify the same address of _aggregator contract as the BondBaseTeller contract. As a result, there may be a desynchronization of the market data used to process the token transfer.

Impact

As a result of a user error, the market may be unusable since it is impossible to edit the corresponding market settings after creation.

Recommendations

For the expected operation of the BondBaseCallback contract independent of user actions, we recommend directly passing the payoutToken and quoteToken token addresses to the callback function.

Remediation

Bond Labs acknowledged this finding and implemented a fix in commit 252f64d8↗.