Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

When `msg.value > _amount`, funds stuck in the `TokenManager` contract

tnevler

Summary

The TokenManager::tillIn function is designed to transfer tokens from msg.sender to CapitalPool. However, some funds may get stuck in the TokenManager contract.

Vulnerability

If a user sends msg.value greater than _amount to the protocol, the TokenManager::tillIn function transfers _amount of tokens to the CapitalPool contract instead of transfering msg.value. As a result, the difference between msg.value and _amount gets stuck in the TokenManager contract.

Code Snippet

/**

* @notice Till in, Transfer token from msg sender to capital pool

* @param _accountAddress Account address

* @param _tokenAddress Token address

* @param _amount Transfer amount

* @param _isPointToken The transfer token is pointToken

* @notice Capital pool should be deployed

* @dev Support ERC20 token and native token

function tillIn(

address _accountAddress,

address _tokenAddress,

uint256 _amount,

bool _isPointToken

)

external

payable

onlyRelatedContracts(tadleFactory, _msgSender())

onlyInTokenWhiteList(_isPointToken, _tokenAddress)

{

/// @notice return if amount is 0

if (_amount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (capitalPoolAddr == address(0x0)) {

revert Errors.ContractIsNotDeployed();

}

if (_tokenAddress == wrappedNativeToken) {

/**

* @dev token is native token

* @notice check msg value

* @dev if msg value is less than _amount, revert

* @dev wrap native token and transfer to capital pool

if (msg.value < _amount) {

revert Errors.NotEnoughMsgValue(msg.value, _amount);

}

@> IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();

@> _safe_transfer(wrappedNativeToken, capitalPoolAddr, _amount);

} else {

/// @notice token is ERC20 token

_transfer(

_tokenAddress,

_accountAddress,

capitalPoolAddr,

_amount,

capitalPoolAddr

);

}

emit TillIn(_accountAddress, _tokenAddress, _amount, _isPointToken);

}

Impact

Users lose funds because they cannot retrieve them from the TokenManager contract.

Proof Of Concept

The user calls the PreMarket::createOffer function, sending 0.015 ether to the protocol (although the minimum msg.value is 0.012 ether).

Place this into the PreMarkets.t.sol file and execute the following command:

forge test --mt test_fundsStuckInTokenManager -vv

function test_fundsStuckInTokenManager() public {

vm.startPrank(user);

preMarktes.createOffer{ value: 0.015 ether }( // <----- value more than minimum (> 0.012)

CreateOfferParams(

marketPlace,

address(weth9),

1000,

0.01 * 1e18,

12000,

300,

OfferType.Ask,

OfferSettleType.Protected

)

);

vm.stopPrank();

console2.log("userBalanceEth0: ", user.balance);

console2.log("capitalPoolBalaceWeth0: ", weth9.balanceOf(address(capitalPool)));

console2.log("tokenManagerBalaceEth0: ", (address(tokenManager).balance));

}

Output:

Logs:

capitalPoolBalaceWeth0: 12000000000000000

userBalanceEth0: 99999999985000000000000000

tokenManagerBalaceEth0: 3000000000000000 // <------- funds stuck

Tools Used

Manual review

Foundry

Recommended Mitigation

There are a few recommended mitigations here.

Change the current check to not accept extra funds:

/**

* @notice Till in, Transfer token from msg sender to capital pool

* @param _accountAddress Account address

* @param _tokenAddress Token address

* @param _amount Transfer amount

* @param _isPointToken The transfer token is pointToken

* @notice Capital pool should be deployed

* @dev Support ERC20 token and native token

function tillIn(

address _accountAddress,

address _tokenAddress,

uint256 _amount,

bool _isPointToken

)

external

payable

onlyRelatedContracts(tadleFactory, _msgSender())

onlyInTokenWhiteList(_isPointToken, _tokenAddress)

{

/// @notice return if amount is 0

if (_amount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (capitalPoolAddr == address(0x0)) {

revert Errors.ContractIsNotDeployed();

}

if (_tokenAddress == wrappedNativeToken) {

/**

* @dev token is native token

* @notice check msg value

* @dev if msg value is less than _amount, revert

* @dev wrap native token and transfer to capital pool

- if (msg.value < _amount) {

+ if (msg.value != _amount) {

revert Errors.NotEnoughMsgValue(msg.value, _amount);

}

IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();

_safe_transfer(wrappedNativeToken, capitalPoolAddr, _amount);

} else {

/// @notice token is ERC20 token

_transfer(

_tokenAddress,

_accountAddress,

capitalPoolAddr,

_amount,

capitalPoolAddr

);

}

emit TillIn(_accountAddress, _tokenAddress, _amount, _isPointToken);

}

Alternatively, transfer msg.value instead of _amount to the CapitalPool contract and make other improvements in the code to not only send all funds to CapitalPool but also consider these funds in the users' balances.

/**

* @notice Till in, Transfer token from msg sender to capital pool

* @param _accountAddress Account address

* @param _tokenAddress Token address

* @param _amount Transfer amount

* @param _isPointToken The transfer token is pointToken

* @notice Capital pool should be deployed

* @dev Support ERC20 token and native token

function tillIn(

address _accountAddress,

address _tokenAddress,

uint256 _amount,

bool _isPointToken

)

external

payable

onlyRelatedContracts(tadleFactory, _msgSender())

onlyInTokenWhiteList(_isPointToken, _tokenAddress)

{

/// @notice return if amount is 0

if (_amount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (capitalPoolAddr == address(0x0)) {

revert Errors.ContractIsNotDeployed();

}

if (_tokenAddress == wrappedNativeToken) {

/**

* @dev token is native token

* @notice check msg value

* @dev if msg value is less than _amount, revert

* @dev wrap native token and transfer to capital pool

if (msg.value < _amount) {

revert Errors.NotEnoughMsgValue(msg.value, _amount);

}

- IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();

+ IWrappedNativeToken(wrappedNativeToken).deposit{value: msg.value}();

- _safe_transfer(wrappedNativeToken, capitalPoolAddr, _amount);

+ _safe_transfer(wrappedNativeToken, capitalPoolAddr, msg.value);

} else {

/// @notice token is ERC20 token

_transfer(

_tokenAddress,

_accountAddress,

capitalPoolAddr,

_amount,

capitalPoolAddr

);

}

emit TillIn(_accountAddress, _tokenAddress, _amount, _isPointToken);

}

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-TokenManager-tillin-excess

Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.