Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User balance checks can prevent Native Token transfer, causing DoS for users

namx05

Summary

The tillIn() function includes a validation to ensure that the msg.value sent with the transaction is greater than the specified amount. This condition inadvertently causes a denial of service (DoS) when the msg.value is exactly equal to the amount, preventing users from successfully transferring native tokens even when they have provided the correct value.

Vulnerability Details

The tillIn function allows certain related contracts to deposit tokens into a capital pool. The relevant code snippet is as follows:

function tillIn(

address _accountAddress,

address _tokenAddress,

uint256 _amount,

bool _isPointToken

)

external

payable

onlyRelatedContracts(tadleFactory, _msgSender())

onlyInTokenWhiteList(_isPointToken, _tokenAddress)

{

/// @notice return if amount is 0

if (_amount == 0) {

return;

}

address capitalPoolAddr = tadleFactory.relatedContracts(

RelatedContractLibraries.CAPITAL_POOL

);

if (capitalPoolAddr == address(0x0)) {

revert Errors.ContractIsNotDeployed();

}

if (_tokenAddress == wrappedNativeToken) {

/**

* @dev token is native token

* @notice check msg value

* @dev if msg value is less than _amount, revert

* @dev wrap native token and transfer to capital pool

@> if (msg.value < _amount) { //@audit

revert Errors.NotEnoughMsgValue(msg.value, _amount);

}

IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();

_safe_transfer(wrappedNativeToken, capitalPoolAddr, _amount);

}

The condition if (msg.value < _amount) is intended to ensure that the transaction includes sufficient value. However, this condition fails to account for the case where msg.value is exactly equal to _amount, preventing valid transfers.

Affected LoC:

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L86

Impact

This issue can cause a denial of service (DoS) for users attempting to transfer native tokens when the provided msg.value matches the _amount exactly. The contract will incorrectly revert the transaction, resulting in users being unable to complete valid token transfers.

Tools Used

Manual

Recommendations

To mitigate this issue, the condition should be updated to allow transactions where msg.value is equal to or greater than _amount. The corrected condition should be:

diff --git a/src/core/TokenManager.sol b/src/core/TokenManager.sol

index 1d1b2ea..4ffb37f 100644

--- a/src/core/TokenManager.sol

+++ b/src/core/TokenManager.sol

@@ -83,7 +83,7 @@ contract TokenManager is

* @dev if msg value is less than _amount, revert

* @dev wrap native token and transfer to capital pool

- if (msg.value < _amount) {

+ if (msg.value <= _amount) {

revert Errors.NotEnoughMsgValue(msg.value, _amount);

}

IWrappedNativeToken(wrappedNativeToken).deposit{value: _amount}();

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

namx05 Submitter

about 1 year ago

0xnevi Lead Judge

about 1 year ago

namx05 Submitter

about 1 year ago

0xnevi Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.