Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Protocol calls to ERC20 tokens does not validate the returned data, which might lead to loss of funds and unexpected errors.

amaron

Summary

The protocol implements low level calls to ERC20 tokens in Rescuableand in CapitalPool::approve:

/**

* @dev Approve token for token manager

* @notice only can be called by token manager

* @param tokenAddr address of token

function approve(address tokenAddr) external {

address tokenManager = tadleFactory.relatedContracts(

RelatedContractLibraries.TOKEN_MANAGER

);

(bool success, ) = tokenAddr.call(

abi.encodeWithSelector(

APPROVE_SELECTOR,

tokenManager,

type(uint256).max

)

);

if (!success) {

revert ApproveFailed();

}

/**

* @dev Safe transfer.

* @param token The token to transfer. If 0, it is ether.

* @param to The address of the account to transfer to.

* @param amount The amount to transfer.

function _safe_transfer(

address token,

address to,

uint256 amount

) internal {

(bool success, ) = token.call(

abi.encodeWithSelector(TRANSFER_SELECTOR, to, amount)

);

if (!success) {

revert TransferFailed();

}

/**

* @dev Safe transfer.

* @param token The token to transfer. If 0, it is ether.

* @param to The address of the account to transfer to.

* @param amount The amount to transfer.

function _safe_transfer_from(

address token,

address from,

address to,

uint256 amount

) internal {

(bool success, ) = token.call(

abi.encodeWithSelector(TRANSFER_FROM_SELECTOR, from, to, amount)

);

if (!success) {

revert TransferFailed();

}

Vulnerability Details

The problem is, this low level implementation, only checks whether the call was successful or not, and do not check the RETURNED DATA from that call

Impact

Some ERC20 tokens might return false on unsuccesful operations, rather than reverting. therefore, if such call was succesful but returned false, which means it was not succesful, the protocol will treat it as succesful call.
this might lead to loss of funds and unexpected errors.

Tools Used

manual review

Recommendations

consider implementing OpenZeppelin's SafeERC20

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-weird-erc-20-return-boolean-Rescuable

I believe the issues and duplicates do not warrant low severity severity as even if the call to transfers returns false instead of reverting, there is no impact as it is arguably correct given there will be insufficient funds to perform a rescue/withdrawal. This will not affect `tillIn()` as there are explicit balance [checks that revert accordingly](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L255-L260) to prevent allowing creation of offers without posting the necessary collateral

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.