Due to an insufficient validation, the difference of the amount of native ETH (`msg.value - _amount`) will not be deposited and therefore it will be stuck forever inside the TokenManager contract
Summary
Due to an insufficient validation, the difference of the amount of native ETH (msg.value - _amount) will not be deposited and therefore it will be stuck forever inside the TokenManager contract - when the TokenManager#tillIn() would be called.
Vulnerability Details
Within the following functions, the TokenManager#tillIn() to deposit WETH into the CapitalPool contract would be called:
PreMarkets#
createOffer()PreMarkets#
listOffer()PreMarkets#
relistOffer()PreMarkets#
_depositTokenWhenCreateTaker()DeliveryPlace#
settleAskMaker()DeliveryPlace#
settleAskTaker()
Also, the TokenManager#tillIn() can directly be called to deposit WETH into the CapitalPool contract.
Within the TokenManager#tillIn(), if a given _tokenAddress would be the wrappedNativeToken (_tokenAddress == wrappedNativeToken), the following three steps would be proceeded:
1/ if the
msg.valueof native ETH-sent would be less than a given_amount(msg.value < _amount), the TX will be reverted (because of"NotEnoughMsgValue").2/ Then, the given
_amountof native ETH would be deposited into the WETH contract via the WrappedNativeToken(wrappedNativeToken)#deposit()in exchange for receiving the given_amountof WETH (wrappedNativeToken).3/ Finally, the given
_amountof WETH (wrappedNativeToken) received would be transferred to the CapitalPool contract (capitalPoolAddr).
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L86-L88
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L89
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L90
At the step 1/ above in the TokenManager#tillIn(), the msg.value is supposed to be equal to a given _amount (msg.value == _amount).
However, at the step 1/ above, whether or not the msg.value is less than a given _amount (msg.value < _amount) would only be validated like this:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L86
This is problematic because, if the msg.value is larger than a given _amount (msg.value > _amount), the difference of the amount of native ETH (msg.value - _amount) will be stuck forever inside the TokenManager contract.
(NOTE:To be exact, in this case, only a given _amount of native ETH would be deposited into the WETH contract to convert to WETH via the IWrappedNativeToken(wrappedNativeToken)#deposit(). However, the difference of the amount of native ETH (msg.value - _amount) will not be deposited and therefore it will remain in the TokenManager contract)
Impact
Within the TokenManager#tillIn(), if _tokenAddress == wrappedNativeToken and the msg.value is larger than a given _amount (msg.value > _amount), the difference of the amount of native ETH (msg.value - _amount) will be stuck forever inside the TokenManager contract.
Tools Used
Foundry
Recommendations
Within the TokenManager#tillIn(), consider adding a condition, which check whether or not the msg.value is larger than a given _amount (msg.value > _amount) like this:
Lead Judging Commences
[invalid] finding-TokenManager-tillin-excess
Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.