Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

non-token address can be called by the contract

abandonedplanetplut

Summary

non-token contracts should not be put into the params of the approve function, however, it can be put into the params.

Vulnerability Details

//Vector location: ./src/core/CapitalPool.sol::CapitalPool
function approve(address tokenAddr) external {
//no check if the contract is a token contract
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}
}

Impact

-the address which has a malicious logic in the function approve can be called.

-the token that has been mapped before can be mapped once again

Tools Used

VScode, foundry

Recommendations

short term: set the interface like IERC20 or other interfaces to avoid vulnerable contracts being called

long term: set the allowed token lists to minimize the impact of the listsnon-token address can be called by the contract

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-CapitalPool-approve-missing-access-control

This is at most low severity, even though giving max approvals shouldn't be permisionless, the respective tokenManager address is retrieved from the TadleFactory contract whereby the trusted guardian role is responsible for deploying such contracts as seen [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/factory/TadleFactory.sol#L68). Since the user still has to go through the PreMarkets/DeliveryPlace contracts to perform market actions, this max approval cannot be exploited.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.