Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Native tokens received into TokenManager::tillIn() function can be locked permanently

ravikiranweb3

Summary

TokenManager::tillIn() function operates in two modes based on the tokenAddress passed as parameter. If the tokenAddress passed is for wrappedNativeToken token, then msg.value is relevant for processing. But, if tokenAddress is for other tokens, the msg.value should be 0 as the function will operate only on amount passed a parameter.

Native tokens passed to tillIn() function for not wrappedNativeToken will be deposited into the TokenManager. But, there is no way to retrieve those funds in the current implementation.

As such, the funds will be locked permanently.

Vulnerability Details

Now, refer to the below code snippet, where tillIn(...) function accepts native tokens as well as _amount as parameter. The logic returns incase _amount is 0.

function tillIn(
address _accountAddress,
address _tokenAddress,
uint256 _amount,
bool _isPointToken
)
external
payable
onlyRelatedContracts(tadleFactory, _msgSender())
onlyInTokenWhiteList(_isPointToken, _tokenAddress)
{
/// @notice return if amount is 0
==> if (_amount == 0) {
return;
}

The implementation will result in locking native tokens.

Lets say, the caller makes the below call, where it passes 1 Ether as native token, but passes amount as 0. In that case, 1 Ether will be locked into the contract and the function will execute successfully.

tokenManager.tillIn{value: 1 ether}(
_msgSender(),
WETH address,
0,
false
);

Impact

User's native token will be locked in TokenManger contract.

Tools Used

Manual review

Recommendations

The tillIn(...) should validate the mode of flow. If tokenAddress is wrappedNativeToken , then msg.value should be greater than equal to _amount. Like wise, if the tokenAddress is not wrappedNativeToken, then msg.value should be 0.

these validations should be checked before entry into the logic section of tillIn(...) function.

function tillIn(
address _accountAddress,
address _tokenAddress,
uint256 _amount,
bool _isPointToken
)
external
payable
onlyRelatedContracts(tadleFactory, _msgSender())
onlyInTokenWhiteList(_isPointToken, _tokenAddress)
{
- if (_amount == 0) {
- return;
- }
+ require(_amount > 0,"Amount should be greater than 0");
+ if(_tokenAddress == wrappedNativeToken){
+ require(_amount <= msg.value,"Insufficient Native tokens");
+ }
+ else{
+ require(msg.value == 0,"Cannot accept native tokens");
+ }
/// @notice return if amount is 0
if (_amount == 0) {
return;
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-TokenManager-tillin-excess

Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!