Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

capitalPool::approve should take tokenAddress as argument instead of tokenManager contract address

oxelmiguel

Summary

The _transfer function in the TokenManager contract is designed to transfer tokens from the capitalPool to a user. However, before performing the transfer, it attempts to call the approve function on the capitalPool contract. The approve function in the capitalPool contract currently expects a tokenAddr argument but _transfer uses the tokenManager contract address within its logic, causing the approval process to fail and preventing any withdrawals.

issue Details

TokenManager Contract's _transfer Function

The _transfer function performs a token transfer and, if necessary, calls the approve function on the capitalPool contract. Here is the relevant code snippet:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L247

function _transfer(
address _token,
address _from,
address _to,
uint256 _amount,
address _capitalPoolAddr
) internal {
uint256 fromBalanceBef = IERC20(_token).balanceOf(_from);
uint256 toBalanceBef = IERC20(_token).balanceOf(_to);
if (
_from == _capitalPoolAddr &&
IERC20(_token).allowance(_from, address(this)) == 0x0
) {
ICapitalPool(_capitalPoolAddr).approve(address(this));
}
/*
perform transfer
*/
}

CapitalPool Contract's approve Function

The approve function is intended to approve token transfers. However, it currently expects a tokenAddr argument and uses the tokenManager contract address within its logic:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L24

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

Impact

The mismatch between the arguments expected by the approve function and those passed by the _transfer function causes the approval process to fail. As a result, the protocol cannot perform any token withdrawals, leading to potential disruptions in user operations.

Tools Used

manual review, foundry

Recommendations

To resolve this issue, the approve function in the capitalPool contract should be modified to take the tokenAddr as an argument directly instead of the tokenManager contract address. This will ensure that the _transfer function can correctly call the approve function and complete the token transfer process.

function _transfer(
address _token,
address _from,
address _to,
uint256 _amount,
address _capitalPoolAddr
) internal {
uint256 fromBalanceBef = IERC20(_token).balanceOf(_from);
uint256 toBalanceBef = IERC20(_token).balanceOf(_to);
if (
_from == _capitalPoolAddr &&
IERC20(_token).allowance(_from, address(this)) == 0x0
) {
// call approve function with _token
ICapitalPool(_capitalPoolAddr).approve(_token);
}
/*
perform transfer
*/
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-approve-wrong-address-input

If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. The argument up in the air is since the approval function `approve` was made permisionless, the `if` block within the internal `_transfer()` function will never be invoked if somebody beforehand calls approval for the TokenManager for the required token, so the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.