Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Sending Native ETH is Not Protected from Functions: `tillIn` and `withdraw`

th3yardmic

Summary

The TokenManager contract contains functions tillIn and withdraw that handle native ETH transactions. These functions lack adequate access control, which could allow unauthorized users or contracts to deposit or withdraw ETH, potentially compromising the security of the contract.

Vulnerability Details

The functions tillIn and withdraw handle ETH without strict checks on msg.sender. The tillIn function allows any caller to deposit ETH into the contract, and the withdraw function allows any caller to withdraw ETH, assuming the contract's state allows it. This could be exploited by malicious actors to deposit and withdraw ETH without proper authorization.

  • Function tillIn: Allows deposits of ETH without restricting who can call it. The check for sufficient ETH (msg.value < _amount) cannot prevent unauthorized deposits.

  • Function withdraw: Allows ETH withdrawals without restricting who can request a withdrawal. This function transfers ETH directly to the msg.sender, potentially allowing unauthorized users to claim funds.

Impact

  • Unauthorized Deposits: Malicious users could deposit ETH into the contract, potentially crowding out legitimate operations or misappropriating funds.

  • Unauthorized Withdrawals: Attackers could withdraw ETH without proper authorization, leading to financial loss or unauthorized access to the contract’s funds.

The impact is high as it directly affects the contract's ability to manage ETH securely, risking potential financial losses and undermining the trust in the contract’s operations.

Tools Used

  • Forge

  • Foundry

Exploit Code

To demonstrate the potential exploit, here is a simplified contract that interacts with the vulnerable TokenManager contract:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
import "./TokenManager.sol";
contract MaliciousUser {
TokenManager public tokenManager;
constructor(address _tokenManager) {
tokenManager = TokenManager(_tokenManager);
}
// Function to exploit the vulnerability and withdraw ETH
function exploitWithdraw() external {
// Assumes the contract has some ETH and the exploit succeeds
tokenManager.withdraw(address(0), TokenManager.TokenBalanceType.PointToken);
}
// Function to exploit the vulnerability and deposit ETH
function exploitDeposit() external payable {
// Send ETH to the contract to exploit the tillIn function
tokenManager.tillIn(address(this), address(0), msg.value, false);
}
}

Recommendations

  1. Implement Access Control:

    • Add appropriate access control modifiers (e.g., onlyOwner or custom role-based access control) to the tillIn and withdraw functions. Ensure that only authorized users or contracts can call these functions.

    modifier onlyAuthorized() {
    require(/* condition for authorized access */, "Not authorized");
    _;
    }
    function tillIn(/* parameters */) external payable onlyAuthorized {
    // Function logic
    }
    function withdraw(/* parameters */) external onlyAuthorized {
    // Function logic
    }

  2. Verify ETH Handling:

    • Ensure that ETH deposits and withdrawals are handled securely. Consider adding checks to validate the caller's authorization and to prevent unauthorized access.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-TokenManager-withdraw-lack-access-control

Invalid, withdrawals are gated to caller context `msg.sender`, not anybody. This acts as the access control and hence "owner", to withdraw collateral/points tokens after finalization of market actions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.