Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

All Tadle feature can not be used with the ERC20 tokens that have custom logic in transfer (e.g. Fee on Transfer Tokens, Deflationary Tokens)

tachida2k

Summary

Different ERC-20 token implementations behave differently regarding the actual amount received when transferring tokens. For example, USDT on Ethereum (Fee on Transfer Token) can charge a fee when transferring ERC-20 tokens, meanwhile, STA (Deflationary Token) burns a certain percentage of the transferred amount.

These types of tokens (collectively known as Weird ERC20 tokens) are currently not applicable to the logic of the current Tadle contracts.

Vulnerability Details

Let's look at the TokenManager.sol contract's _transfer() internal function :

function _transfer(
address _token,
address _from,
address _to,
uint256 _amount,
address _capitalPoolAddr
) internal {
uint256 fromBalanceBef = IERC20(_token).balanceOf(_from);
uint256 toBalanceBef = IERC20(_token).balanceOf(_to);
if (
_from == _capitalPoolAddr &&
IERC20(_token).allowance(_from, address(this)) == 0x0
) {
ICapitalPool(_capitalPoolAddr).approve(address(this));
}
_safe_transfer_from(_token, _from, _to, _amount);
uint256 fromBalanceAft = IERC20(_token).balanceOf(_from);
uint256 toBalanceAft = IERC20(_token).balanceOf(_to);
if (fromBalanceAft != fromBalanceBef - _amount) {
revert TransferFailed();
}
if (toBalanceAft != toBalanceBef + _amount) {
revert TransferFailed();
}
}

In the above function, after invoking _safe_transfer_from() function (essentially calling the ERC20 contract function using TRANSFER_FROM_SELECTOR in Rescuable.sol contract), there is a logic to check whether the balance delta between before and after transfer of _from address and _to address is exactly equal to amount or not.

As mentioned in the summary section, there are some tokens that, although still comply with the ERC20 standard, customize the logic of the transfer function according to their business logic. This customization leads to the fact that the actual amount sent to the _to address will not be equal to the input amount and it will not pass the delta balance check logic mentioned above.

Impact

All current Tadle's features when applied to Weird ERC20 Tokens will always revert TransferFailed()

Tools Used

Manually Review

Recommendations

Solution 1: Remove the logic checking balance delta before and after performing token transfer of TokenManager.sol contract's _transfer() internal function.

Solution 2: Disallow Weird ERC20 tokens to be used on Tadle marketplace (not added to token whitelist)

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-FOT-Rebasing

Valid medium, there are disruptions to the ability to take market actions. The following functions will be disrupted without the possibiliy of reaching settlement, since the respective offers cannot be created/listed regardless of mode when transferring collateral token required to the CapitalPool contract or when refunding token from user to capital pool during relisting. So withdrawal is not an issue - `createOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L96-L102) - `listOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L355-L362) - `relistOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L515-L521) - `createTaker()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L831-L836) I believe medium severity is appropriate although the likelihood is high and impact is medium (only some level of disruption i.e. FOT tokens not supported and no funds at risk)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.