Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

First withdrawal attempt of `wrappedNativeToken` will always fail

0xnbvc

Vulnerability Details

In the TokenManager contract, the _transfer() function contains a check to see if the CapitalPool has approved the TokenManager to spend tokens:

TokenManager.sol#L243-L248

if (

_from == _capitalPoolAddr &&

IERC20(_token).allowance(_from, address(this)) == 0x0

) {

>> ICapitalPool(_capitalPoolAddr).approve(address(this));

}

The issue arises when this code attempts to call an approve() function on the TokenManager contract, which doesn't exist. This will cause the first call to withdraw() to revert when trying to withdraw the wrappedNativeToken.

Impact

Users will be unable to withdraw their wrapped native tokens on the first attempt. This creates a poor user experience and may lead to confusion or frustration. It also introduces an unnecessary manual step in the withdrawal process.

Proof of Concept

Alice attempts to withdraw her wrapped native tokens using the withdraw() function in TokenManager.
The _transfer() function is called, which checks if the CapitalPool has approved the TokenManager.
Since the approval is 0, it attempts to call approve() on the TokenManager.
The transaction reverts because TokenManager doesn't have an approve() function.
Alice's withdrawal fails, and she's unable to access her funds.
Alice has to manually approve the TokenManager to spend wrappedNativeToken through CapitalPool::approve() before attempting to withdraw again.

Recommendations

Modify the _transfer() function in TokenManager to properly call approve() on the token directly, rather than attempting to call a non-existent approve() function on itself:

if (

_from == _capitalPoolAddr &&

IERC20(_token).allowance(_from, address(this)) == 0x0

) {

- ICapitalPool(_capitalPoolAddr).approve(address(this));

+ ICapitalPool(_capitalPoolAddr).approve(IERC20(_token));

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-TokenManager-approve-wrong-address-input

If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. The argument up in the air is since the approval function `approve` was made permisionless, the `if` block within the internal `_transfer()` function will never be invoked if somebody beforehand calls approval for the TokenManager for the required token, so the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.