Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Calling `withdraw` function with `_tokenAddress` input being `wrappedNativeToken` can revert if `msg.sender`'s `receive` function consumes more than 2300 gas

rbserver

Summary

When msg.sender is a contract, calling the withdraw function with the _tokenAddress input being wrappedNativeToken can revert if msg.sender's receive function consumes more than 2300 gas. Thus, such msg.sender would not be able to claim the corresponding claimAbleAmount that it is entitled to.

Vulnerability Details

The following withdraw function executes payable(msg.sender).transfer(claimAbleAmount) if _tokenAddress == wrappedNativeToken is true in which such transfer function call would forward 2300 gas. When msg.sender is a smart contract, its receive function can contain complex logics that consume more than 2300 gas. In this case, calling such receive function reverts due to insufficient gas so the withdraw function call reverts as well.

https://github.com/Cyfrin/2024-08-tadle/blob/c249cdb68c37c47025cdc4c4782c8ee3f20a5b98/src/core/TokenManager.sol#L137-L189

function withdraw(

address _tokenAddress,

TokenBalanceType _tokenBalanceType

) external whenNotPaused {

uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][

_tokenAddress

][_tokenBalanceType];

if (claimAbleAmount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (_tokenAddress == wrappedNativeToken) {

...

_transfer(

wrappedNativeToken,

capitalPoolAddr,

address(this),

claimAbleAmount,

capitalPoolAddr

);

IWrappedNativeToken(wrappedNativeToken).withdraw(claimAbleAmount);

@> payable(msg.sender).transfer(claimAbleAmount);

} else {

...

_safe_transfer_from(

_tokenAddress,

capitalPoolAddr,

_msgSender(),

claimAbleAmount

);

}

...

}

Impact

When calling the withdraw function reverts, the msg.sender fails to claim the corresponding claimAbleAmount that it is entitled to.

Tools Used

Manual Review

Recommended Mitigation

https://github.com/Cyfrin/2024-08-tadle/blob/c249cdb68c37c47025cdc4c4782c8ee3f20a5b98/src/core/TokenManager.sol#L169 can be updated to the following code.

(bool success, ) = payable(msg.sender).call{value: claimAbleAmount}("");

require(success, "Failed to send Ether");

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-TokenManager-withdraw-transfer-2300-gas

Invalid, known issues [Medium-2](https://github.com/Cyfrin/2024-08-tadle/issues/1)

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.