Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Token transfer from TokenManager to CapitalPool can be blocked

vladzaev

Summary

Token transfer from TokenManager to CapitalPool can be blocked in case of insufficient allowance.

Vulnerability Details

Currently there are two options for token transfers between TokenManager and CapitalPool: it either appove type(uint256).max or check if current allowance is zero:

function approve(address tokenAddr) external {

address tokenManager = tadleFactory.relatedContracts(

RelatedContractLibraries.TOKEN_MANAGER

);

(bool success, ) = tokenAddr.call(

abi.encodeWithSelector(

APPROVE_SELECTOR,

tokenManager,

@> type(uint256).max

)

);

...

}

and here is a check in transfer func:

function _transfer(

address _token,

address _from,

address _to,

uint256 _amount,

address _capitalPoolAddr

) internal {

uint256 fromBalanceBef = IERC20(_token).balanceOf(_from);

uint256 toBalanceBef = IERC20(_token).balanceOf(_to);

if (

_from == _capitalPoolAddr &&

@> IERC20(_token).allowance(_from, address(this)) == 0x0

) {

ICapitalPool(_capitalPoolAddr).approve(address(this));

}

...

}

So consider the scenario when it is required to transfer a large ammount of tokens from TokenManager to CapitalPool.

Current allowance is not equal to zero;
The amount to trasfer is more that allowance;
Transfer will fail as it doesn't have anoigh rights to transfer tokens and it is impossible to call approve() to increase it.
Token will not be transfered and some core funtions from related PreMarkets contract will be blocked.

Impact

Token transfers will be blocked between contracts.

Tools Used

Manual review

Recommendations

Provide a check to see if it has enough allowance before token transfer and approve again is it's not.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.