Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Input in Approval Functionality of _transfer Function

0xpep7

Summary

The _transfer function within the TokenManager contract uses an incorrect input for the ICapitalPool.approve call, rendering the approval extension functionality inoperable.

Vulnerability Details

The root cause of the vulnerability is that the _transfer function incorrectly passes the address of the TokenManager itself to the ICapitalPool.approve function instead of the token address it should be acquiring approval for.

  • Found in src/core/CapitalPool.sol at Line 24

@>: CapitalPool expects tokenAddr as input which is the address of the ERC20 token that the TokenManager should acquires approval to transfer from the CapitalPool.

24:@> function approve(address tokenAddr) external {
25: address tokenManager = tadleFactory.relatedContracts(
...
39: }

  • Found in src/core/TokenManager.sol at Line 247

@>: However, by entering the TokenManager's address itself, the call would always revert since it does not implement an approve endpoint and it's not a ERC20 derivative either. As a result, users effectively lost their funds to the CapitalPool.

233: function _transfer(
...
246: ) {
247:@> ICapitalPool(_capitalPoolAddr).approve(address(this));
248: }
...
262: }

Let us walk through the issue with the following scenario:

  1. Alice, who is using the TokenManager, triggers the _transfer function via withdraw expecting the TokenManager to gain approval to draw tokens from the CapitalPool and send her her claimable funds.

  2. The TokenManager attempts to call ICapitalPool.approve(address(this)), where address(this) is the TokenManager's address, not the token address.

  3. As a result, the approve call reverts because the TokenManager does not implement an approve function and is not an ERC20 derivative. This makes the approval extension functionality inoperable, and the _transfer function fails to draw any funds from the CapitalPool.

Impact

This vulnerability is severe as it renders the intended functionality, where the TokenManager should be able to extend its approval to spend tokens in the CapitalPool, completely inoperable. If the TokenManager runs out of approval or lacks approval from the CapitalPool in the first place, the _transfer function becomes useless and cannot draw funds from the CapitalPool.

Tools Used

Manual Review

Recommendations

- ICapitalPool(_capitalPoolAddr).approve(address(this))
+ ICapitalPool(_capitalPoolAddr).approve(_token)
Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-approve-wrong-address-input

If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. The argument up in the air is since the approval function `approve` was made permisionless, the `if` block within the internal `_transfer()` function will never be invoked if somebody beforehand calls approval for the TokenManager for the required token, so the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.