if user creates an offer with PreMarkets::createOffer()
function and for some reason decides to close the offer immediately with PreMarkets::createOffer()
function. after that user has to call the TokenManager::withdraw()
function to get Refunded the amount he deposited when creating the offer. but Unfortunately The withdraw()
function in the TokenManager
contract does not call the CapitalPool::approve()
function for the _tokenAddress
, preventing the CapitalPool
from transferring tokens back to the offer creator. This causes withdrawals to fail and revert()
if offer creator wants to get his money back.
Users who create offers and then attempt to withdraw
their funds after closing the offer will encounter failed withdrawals due to the lack of token transfer approval, resulting in the inability to retrieve deposited tokens.
User creates an offer via PreMarkets::createOffer()
.
User decides to close offer for whatever reason via PreMarkets::closeOffer()
.
User now Tries to withdraw the tokens that he deposited when creating offer by calling TokenManager::withdraw()
function.
Unfortunately it fails and the TokenManager::withdraw()
function call reverts due to ERC20InsufficientBalance
.
run the test with following command:
take a look at the logs:
Add an approval step in the withdraw()
function to so CapitalPool
authorizes TokenManager
to transfer tokens back to users with _safe_transfer_from()
function:
This ensures successful withdrawals by allowing CapitalPool
to transfer tokens back to users.
This issue's severity has similar reasonings to #252, whereby If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. Similarly, the argument here is the approval function `approve` was made permisionless, so if somebody beforehand calls approval for the TokenManager for the required token, the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate. It also has a slightly different root cause and fix whereby an explicit approval needs to be provided before a call to `_safe_transfer_from()`, if not, the alternative `_transfer()` function should be used to provide an approval, assuming a fix was implemented for issue #252
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.