Submission Details
Severity:
Lack of checking whether _accountAddress has enough balance to be sent to _to na tillIn and _transfer
Summary
The internal function _``transfer_ will fail if the address _from (_accountAddress), passed in the function TokenManager::tillIn() does not have enough balance.
Vulnerability Details
Impact
The caller of the tillIn function has to pay an amount to send money to capitalPool, if the _accountAddress that he passes as a parameter does not have enough balance, the transaction will fail.
Tools Used
Manual Review, Foundry
// Test tillIn function reverts if _accountAddress has insufficient balance
//new address(user4) with low balance
deal(address(mockUSDCToken), user4, 1e18);
vm.prank(user4);
mockUSDCToken.approve(address(tokenManager), type(uint256).max);
//caller of tillIn() must be relatedContract
vm.startPrank(address(deliveryPlace));
//the value passed can be any value above user4's balance
tokenManager.tillIn(address(user4), address(mockUSDCToken), 2e18, true);
vm.stopPrank();
// Logs
├─ [1006] MockERC20Token::transferFrom(0xe1AB8145F7E55DC933d51a18c793F901A3A0b276, UpgradeableProxy: [0x76006C4471fb6aDd17728e9c9c8B67d5AF06cDA0], 2000000000000000000 [2e18])
│ │ │ └─ ← ERC20InsufficientBalance(0xe1AB8145F7E55DC933d51a18c793F901A3A0b276, 1000000000000000000 [1e18], 2000000000000000000 [2e18])
│ │ └─ ← TransferFailed()
│ └─ ← TransferFailed()
└─ ← TransferFailed()
Recommendations
Consider doing a sender balance check.
Prize pool breakdown
Total prize
27,750 USDC
nSLOC
1,22923
USDC / LOC
25,000 USDC
2,750 USDC
2,250 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.