Tadle

Summary

In TokenManager.sol, the function tillIn() sends external calls to whitelisted token addresses or contracts representing the points being traded. This function calls the transfer() or transferFrom() function in those contracts.

External functions in PreMarkets.sol and DeliveryPlace.sol utilize tillIn() to handle token transfers. However, they modify state variables after calling this function. This does not follow the Checks-Effects-Interaction (CEI) pattern and is a vector for re-entrancy attacks.

Vulnerability Details

The tillIn() function in TokenManager.sol makes external calls to unverified contracts when isPointToken is true. This occurs during the execution of settleAskMaker() and settleAskTaker() functions.

• These external calls invoke either transfer() or transferFrom() functions on the _tokenAddress contract, which is provided by users.

• The contracts lacks re-entrance guards, both in the tillIn() function and external functions that utilize it for token transfers between users and capitalPool.

• This creates a potential attack vector where a malicious contract could re-enter the TokenManager contract before the initial execution is complete, causing unexpected behaviors.

Impact

This re-entrancy attack can result in an attacker withdrawing more funds from the protocol than he is allowed to.

Tools Used

Manual review

Recommendations

1. Implement the Check-Effects-Interactions Pattern: Ensure that all state changes are made before external calls.

2. Use Re-entrancy Guards: Implement re-entrance guards using OpenZeppelin's ReentrancyGuard contract or a similar mechanism. Apply these guards to all external functions that interact with user-supplied token addresses.