[M-2] `TokenManger::withdraw` doesn't check for before and after balances of ERC20 tokens that return false instead of reverting, causing user balance to be lost.
Relevant Links
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L137-L189
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L233-L262
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/utils/Rescuable.sol#L104-L117
Summary
TokenManger::withdraw calls _transfer function for WETH tokens but uses _safe_transfer_from function for other ERC20 tokens.
In case of ERC20 tokens that return false instead of reverting on transfer failure like ZRX, it doesn't check the before and after balances, causing user balances to be incorrectly marked as withdrawn.
Vulnerability Details
TokenManger::_transfer function checks for approvals as well as before and after balances of the transferred token.
Rescuable::_safe_transfer_from function only checks the return value of low level call function. If transfer for a token like ZRX was successful, bool success would have a value of true. However, if the transfer failed, bool success would still be true.
As we can see below in the TokenManager::withdraw function, when any other ERC20 except for WETH is transferred Rescuable::_safe_transfer_from is used instead of TokenManager::_transfer:
Impact
Likelihood: High
Impact: Medium - This would cause users balance to be lost and tracked as withdrawn even though they weren't able to withdraw tokens like ZRX. However this would only exist after a valid fix for [H-1] userTokenBalanceMap is never updated while withdrawing, causing protocol to be drained. is applied.
Overall severity is Medium.
Tools Used
Manual Review
Recommendations
Use TokenManager::_transfer inside TokenManager::withdraw instead of Rescuable::_safe_transfer_from
Lead Judging Commences
[invalid] finding-weird-erc-20-return-boolean-Rescuable
I believe the issues and duplicates do not warrant low severity severity as even if the call to transfers returns false instead of reverting, there is no impact as it is arguably correct given there will be insufficient funds to perform a rescue/withdrawal. This will not affect `tillIn()` as there are explicit balance [checks that revert accordingly](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L255-L260) to prevent allowing creation of offers without posting the necessary collateral
Appeal created
finding-TokenManager-safeTransferFrom-withdraw-missing-approve
This issue's severity has similar reasonings to #252, whereby If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. Similarly, the argument here is the approval function `approve` was made permisionless, so if somebody beforehand calls approval for the TokenManager for the required token, the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate. It also has a slightly different root cause and fix whereby an explicit approval needs to be provided before a call to `_safe_transfer_from()`, if not, the alternative `_transfer()` function should be used to provide an approval, assuming a fix was implemented for issue #252
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.