Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

contract UpgradeableProxy is TransparentUpgradeableProxy is a payable function to accept Assets/tokens but lacks a corresponding function to withdraw it, which makes asstes/token been locked up in the protocol

emma77

Summary

contract UpgradeableProxy is TransparentUpgradeableProxy is a payable function to accept Assets/tokens but lacks a corresponding function to withdraw it, which makes asstes/token been locked up in the protocol

Vulnerability Details

There are no corresponding function to withdraw it, which makes asstes/token been locked up in the protocol

// SPDX-License-Identifier: GPL-2.0-or-later

pragma solidity ^0.8.13;

// Upgradeable proxy contract used in OZ upgrades plugin

// @notice the version of OZ contracts is `5.0.2`

// @notice the first storage slot is used as admin

import {TransparentUpgradeableProxy} from "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol";

import {ITadleFactory} from "../factory/ITadleFactory.sol";

import {Errors} from "../utils/Errors.sol";

/**

* @title UpgradeableProxy

* @notice This contrct is based on TransparentUpgradeableProxy.

* @dev This contrct serves as the proxy of SystemConfig, PreMarkets, DeliveryPlace, CapitalPool and TokenManager.

* @notice the first storage slot is used as admin.

* @notice the second storage slot is used as tadle factory.

* @notice Total Storage Gaps: 50, UnUsed Storage Slots: 49.

contract UpgradeableProxy is TransparentUpgradeableProxy {

ITadleFactory public tadleFactory;

/**

* @param _logic address of logic contract

* @param _admin address of admin

* @param _data call data for logic

constructor(

address _logic,

address _admin,

address _tadleFactory,

bytes memory _data

) TransparentUpgradeableProxy(_logic, _admin, _data) {

tadleFactory = ITadleFactory(_tadleFactory);

}

receive() external payable {}

/**

* @dev This empty reserved space is put in place to allow future versions to add new

* variables without shifting down storage in the inheritance chain.

* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps

uint256[49] private __gap;

}

Impact

makes asstes/token been locked up in the protocol

Tools Used

manual review

Recommendations

implement a public or external function that allows for the withdrawal of assets/token from the contract.

Updates

Lead Judging Commences

0xnevi Lead Judge

12 months ago

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.