Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Slippage controls for calling `TokenManger.Withdraw` functions are missing

Dharma

Summary

When unwrapping the wrapped native token, if there is a fluctuation in value or an error in the unwrap process, the amount sent to the user might differ from the claimAbleAmount. However, the function does not check if the actual amount unwrapped and transferred matches the intended amount.

Even though when transferring ERC20 tokens, if there is any slippage, the actual amount transferred might be less than the claimAbleAmount. The function does not verify if the correct amount was transferred, leading to a potential discrepancy.

Vulnerability Details

function withdraw(

address _tokenAddress,

TokenBalanceType _tokenBalanceType

) external whenNotPaused {

uint256 claimAbleAmount = userTokenBalanceMap[_msgSender()][

_tokenAddress

][_tokenBalanceType];

if (claimAbleAmount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (_tokenAddress == wrappedNativeToken) {

/**

* @dev token is native token

* @dev transfer from capital pool to msg sender

* @dev withdraw native token to token manager contract

* @dev transfer native token to msg sender

_transfer( //@audit missing slippage control

wrappedNativeToken,

capitalPoolAddr,

address(this),

claimAbleAmount,

capitalPoolAddr

);

IWrappedNativeToken(wrappedNativeToken).withdraw(claimAbleAmount);

payable(msg.sender).transfer(claimAbleAmount);

} else {

/**

* @dev token is ERC20 token

* @dev transfer from capital pool to msg sender

_safe_transfer_from( //@audit missing slippage control

_tokenAddress,

capitalPoolAddr,

_msgSender(),

claimAbleAmount

);

}

emit Withdraw(

_msgSender(),

_tokenAddress,

_tokenBalanceType,

claimAbleAmount

);

}

Impact

Without slippage control, the amount of tokens expected to be transferred might differ from the actual amount. This discrepancy can cause users to receive less than they expect, leading to potential financial losses.

Tools Used

Vscode

Recommendations

The TokenManger contract can be updated to include a Withdraw function that allows msg.sender to specify the minimum native token; calling such TokenManger.withdraw function should revert if the corresponding withdraw function's token output is less than the specified minimum token to be withdraw.

Similarly, the TokenManger contract can also include a maxToken function that allows msg.sender to specify the maximum tokens to be withdraw for calling the corresponding withdraw function.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!