Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The protocol doesn't handle non-standard ERC20s

GeorgiT

Summary

Certain ERC-20 tokens with non-standard implementations can potentially break the protocol. These tokens may not adhere to the expected behavior of standard ERC-20 tokens, leading to unexpected and potentially harmful interactions within the protocol.

Vulnerability Details

There are many weird ERC-20 tokens that won't work correctly in this protocol.

A simple example is shown below:

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

Not every ERC-20 token returns a boolean on success (e.g., USDT), which can lead to failures in the protocol.

Impact

The contract may malfunction for certain tokens, causing transaction failures and potential loss of funds.

Tools Used

Manual Review

Recommendations

Implement Token Whitelisting: Only allow interaction with well-known, standard ERC-20 tokens to prevent the protocol from engaging with "weird" tokens.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

[invalid] finding-CapitalPool-approve-return-boolean

Invalid, low level call will always return true as long as the call succeeds without reverting, so this has no impact described, given approvals can only fail when some weird tokens do not allow a uint256.max approval, which is not described in any of the issues below.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.