onlyInTokenWhitelist can be bypassed as _isPointToken flag set by user
Summary
In TokenManagersmart contract,when transferring tokens from msg.senderto CapitalPooladdress, the user has to provide certain params. One of the params is _isPointToken that's a boolean value and is set by user. The problem is that this value is checked when checking for token whitelist and as the param is user-provided, it can be easily bypassed.
Vulnerability Details
Take a look at the onlyInTokenWhiteList()functionality:
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L30-36
It checks whether the token is point token and whether it's whitelisted. The problem is that the _isPointToken value is provided by user:
So the whitelist can be easily bypassed if the _isPointTokenset to true.
Impact
User can bypass whitelist check as the flag is set by the user himself.
Tools Used
Manual review.
Recommendations
Check for point token should be made by smart contract and should not be a user-provided parameter.
Lead Judging Commences
[invalid] finding-TokenManager-onlyInTokenWhiteList-bypass
Invalid, point tokens need not be whitelisted, since they are subjected to the free market to allow free trading within Tadle with the original collateral backing. Since collateral tokens are the subject of focus when valuing points traded, the whitelist is only applicable to them.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.