https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L56
The tillIn
function within the TokenManager
contract allows users to transfer tokens from their accounts to a capital pool. However, the function does not validate whether the provided _accountAddress
parameter matches the caller's (msg.sender) address. This lack of validation opens up potential security vulnerabilities, including unauthorized fund transfers and inconsistent accounting practices.
The function allows users to transfer tokens to a capital pool, but it does not validate whether _accountAddress
matches msg.sender
. This omission means that any user can specify an arbitrary _accountAddress, potentially transferring tokens on behalf of another user without their authorization. An attacker could transfer tokens from another user's account without their consent. If the _accountAddress
does not match msg.sender
, it could result in discrepancies between the funds transferred and the account being credited or debited, leading to potential accounting errors.
The lack of validation for _accountAddress
in the tillIn
function could lead to significant security vulnerabilities, including unauthorized access to user funds and inconsistencies in account balances. The severity of this issue is high, as it directly impacts the integrity and security of user assets managed by the contract.
Manual Review
To mitigate the risks associated with this vulnerability, it is recommended to implement a validation check to ensure that _accountAddress
matches msg.sender
. This will prevent unauthorized users from interacting with accounts other than their own.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.