Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Insufficient check to Ether transfer can cause a user to get less amount saved for Offer

vladzaev

Summary

While creating an Offer a user can mistakely send more Ether than required and get less amount value saved for the Offer.

Vulnerability Details

When user creating an Offer he can send a native token (ETH) with it that will be save as params.amount in the Offer:

function createOffer(CreateOfferParams calldata params) external payable {
...
{
/// @dev transfer collateral from _msgSender() to capital pool
uint256 transferAmount = OfferLibraries.getDepositAmount(
params.offerType,
params.collateralRate,
params.amount,
true,
Math.Rounding.Ceil
);
ITokenManager tokenManager = tadleFactory.getTokenManager();
@> tokenManager.tillIn{value: msg.value}(
_msgSender(),
params.tokenAddress,
transferAmount,
false
);
}
...
/// @dev update offer info
offerInfoMap[offerAddr] = OfferInfo({
id: offerId,
authority: _msgSender(),
maker: makerAddr,
offerStatus: OfferStatus.Virgin,
offerType: params.offerType,
points: params.points,
@> amount: params.amount,
collateralRate: params.collateralRate,
abortOfferStatus: AbortOfferStatus.Initialized,
usedPoints: 0,
tradeTax: 0,
settledPoints: 0,
settledPointTokenAmount: 0,
settledCollateralAmount: 0
});
}

In TokenManager it has a check to be sure amount is more or equal to `msg.value` :

function tillIn(
address _accountAddress,
address _tokenAddress,
uint256 _amount,
bool _isPointToken
)
external
payable
onlyRelatedContracts(tadleFactory, _msgSender())
onlyInTokenWhiteList(_isPointToken, _tokenAddress)
{
...
if (_tokenAddress == wrappedNativeToken) {
/**
* @dev token is native token
* @notice check msg value
* @dev if msg value is less than _amount, revert
* @dev wrap native token and transfer to capital pool
*/
@> if (msg.value < _amount) {
revert Errors.NotEnoughMsgValue(msg.value, _amount);
}
IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();
_safe_transfer(wrappedNativeToken, capitalPoolAddr, _amount);
} else {
...
}
emit TillIn(_accountAddress, _tokenAddress, _amount, _isPointToken);
}

However, none of these functions have a check to see if the value equal to msg.value is saved for OfferInfo.

A user may accidentally send more Eth than they specified in params.amount and this value will be stored in the Offer.

For example,

Bob wants to create an offer and specify the params.amount as 1_000_000, but he wanted to write 10_000_000. He sends the required amount of Ether (10_000_000) but only receives 1_000_000. When he will try to cancel the Offer and get a refund, he will get exactly 1_000_000 but not the amount of ether he sent.

Impact

While creating an Offer a user can mistakely send more Ether than required and get less amount value saved for the Offer.

Tools Used

Manual review

Recommendations

In case of Ether transfer, cosider adding a check to make sure params.amountis equal to msg.value when crating a new offer, like:

require(msg.value == params.amount, 'Incorrect amount');
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[invalid] finding-TokenManager-tillin-excess

Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.