Due to an insufficient validation, the difference of the amount of native ETH (msg.value - _amount
) will not be deposited and therefore it will be stuck forever inside the TokenManager contract - when the TokenManager#tillIn()
would be called.
Within the following functions, the TokenManager#tillIn()
to deposit WETH into the CapitalPool contract would be called:
PreMarkets#createOffer()
PreMarkets#listOffer()
PreMarkets#relistOffer()
PreMarkets#_depositTokenWhenCreateTaker()
DeliveryPlace#settleAskMaker()
DeliveryPlace#settleAskTaker()
Also, the TokenManager#tillIn()
can directly be called to deposit WETH into the CapitalPool contract.
Within the TokenManager#tillIn()
, if a given _tokenAddress
would be the wrappedNativeToken
(_tokenAddress == wrappedNativeToken
), the following three steps would be proceeded:
1/ if the msg.value
of native ETH-sent would be less than a given _amount
(msg.value < _amount
), the TX will be reverted (because of "NotEnoughMsgValue"
).
2/ Then, the given _amount
of native ETH would be deposited into the WETH contract via the WrappedNativeToken(wrappedNativeToken)#deposit()
in exchange for receiving the given _amount
of WETH (wrappedNativeToken
).
3/ Finally, the given _amount
of WETH (wrappedNativeToken
) received would be transferred to the CapitalPool contract (capitalPoolAddr
).
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L86-L88
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L89
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L90
At the step 1/ above in the TokenManager#tillIn()
, the msg.value
is supposed to be equal to a given _amount
(msg.value == _amount
).
However, at the step 1/ above, whether or not the msg.value
is less than a given _amount
(msg.value < _amount
) would only be validated like this:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L86
This is problematic because, if the msg.value
is larger than a given _amount
(msg.value > _amount
), the difference of the amount of native ETH (msg.value - _amount
) will be stuck forever inside the TokenManager contract.
(NOTE:To be exact, in this case, only a given _amount
of native ETH would be deposited into the WETH contract to convert to WETH via the IWrappedNativeToken(wrappedNativeToken)#deposit()
. However, the difference of the amount of native ETH (msg.value - _amount
) will not be deposited and therefore it will remain in the TokenManager contract)
Within the TokenManager#tillIn()
, if _tokenAddress == wrappedNativeToken
and the msg.value
is larger than a given _amount
(msg.value > _amount
), the difference of the amount of native ETH (msg.value - _amount
) will be stuck forever inside the TokenManager contract.
Foundry
Within the TokenManager#tillIn()
, consider adding a condition, which check whether or not the msg.value
is larger than a given _amount
(msg.value > _amount
) like this:
Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.