Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Implementation Of Token Approval Logic

auditweiler

Summary

The TokenManager's exhibits pathological token transfer flows.

Vulnerability Details

When attempting to transfer tokens from the ICapitalPool, the TokenManager attempts to ensure infinite spend approvals as follows:

if (
_from == _capitalPoolAddr &&
IERC20(_token).allowance(_from, address(this)) == 0x0
) {
ICapitalPool(_capitalPoolAddr).approve(address(this));
}

However, passing address(this)is incorrect, as the is not itself a token. Due to the lack of an approval definition, calls will revert:

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
function approve(address tokenAddr) external { /// @audit TokenManager_is_not_an_erc20
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR, /// @audit there_is_no_such_function
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed(); /// @audit will_always_revert
}
}

Impact

Denial of service when attempting to transfer unapproved tokens and arbitrary spend approvals until the approval is executed manually.

Tools Used

Manual Review

Recommendations

Firstly, ensure we pass the address of the token so that approvals may be :

ICapitalPool(_capitalPoolAddr).approve(_token);

To increase security, please consider introducing access control mechanisms on the CapitalPool:

/**
* @dev Approve token for token manager
* @notice only can be called by token manager
* @param tokenAddr address of token
*/
function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
/// @notice Ensure only the `TokenManager` can mediate approvals.
require(_msgSender() == tokenManager, "NOT_AUTHORIZED");
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

Finally, it is recommended to use a safeApprove to maximize token compatibility.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-approve-wrong-address-input

If we consider the correct permissioned implementation for the `approve()` function within `CapitalPool.sol`, this would be a critical severity issue, because the withdrawal of funds will be permanently blocked and must be rescued by the admin via the `Rescuable.sol` contract, given it will always revert [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L36-L38) when attempting to call a non-existent function selector `approve` within the TokenManager contract. The argument up in the air is since the approval function `approve` was made permisionless, the `if` block within the internal `_transfer()` function will never be invoked if somebody beforehand calls approval for the TokenManager for the required token, so the transfer will infact not revert when a withdrawal is invoked. I will leave open for escalation discussions, but based on my first point, I believe high severity is appropriate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.