Users will lose excess ETH sent to `TokenManager::tillIn()`
Summary
Vulnerability Detail
The TokenManager contract implements a tillIn() function that allows users to deposit tokens, including wrapped ETH (WETH), into a capital pool. This function is designed to handle both ERC20 tokens and native ETH transactions. When dealing with native ETH, the function wraps it into WETH before transferring to the capital pool.
The tillIn() function includes a check to ensure that the user has sent enough ETH to cover the specified amount:
However, the function does not handle the case where a user sends more ETH than required (msg.value > _amount). In such scenarios, the excess ETH becomes locked in the contract without any mechanism for retrieval.
The root cause of this issue lies in the incomplete handling of ETH value checks. While the function correctly reverts if insufficient ETH is sent, it fails to account for or refund excess ETH, leading to potential fund loss for users.
Relevant code:
Impact
Users who inadvertently send more ETH than the specified _amount will permanently lose access to their excess funds. This issue could lead to significant financial losses for users, especially if large transactions are involved.
The severity of this issue is heightened by the fact that users might not immediately realize they've sent excess ETH, as the transaction would complete successfully. This could result in a loss of trust in the protocol and potential reputational damage.
Moreover, the locked ETH accumulates in the contract over time, creating a honeypot that could attract malicious actors to attempt to exploit the contract to access these funds.
Proof of Concept
Alice intends to deposit 1 ETH into the capital pool using the
tillIn()function.Due to a frontend error or user mistake, Alice sends 2 ETH along with the transaction.
The
tillIn()function processes the transaction:It checks if
msg.value < _amount, which passes as 2 ETH > 1 ETH.It wraps 1 ETH into WETH and transfers it to the capital pool.
The excess 1 ETH remains in the contract.
The transaction completes successfully, but Alice has permanently lost access to 1 ETH.
Tools Used
Manual review
Recommended Mitigation Steps
Implement a mechanism to refund any excess ETH sent by users. This can be achieved by modifying the tillIn() function to check for excess ETH and return it to the sender.
Here's a suggested fix:
This modification ensures that any excess ETH is returned to the sender, preventing unintentional loss of funds.
Lead Judging Commences
[invalid] finding-TokenManager-tillin-excess
Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.