Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Lack of support for rebasing tokens due to static mapping

robertodf99

Summary

The contest guidelines specify that all ERC-20 compliant tokens are within scope. However, the use of static mapping in the TokenManager contract for adding sale proceeds to askers or refunding users may lead to inaccurate balance tracking when dealing with rebasing tokens.

function addTokenBalance(

TokenBalanceType _tokenBalanceType,

address _accountAddress,

address _tokenAddress,

uint256 _amount

) external onlyRelatedContracts(tadleFactory, _msgSender()) {

@> userTokenBalanceMap[_accountAddress][_tokenAddress][

_tokenBalanceType

] += _amount;

emit AddTokenBalance(

_accountAddress,

_tokenAddress,

_tokenBalanceType,

_amount

);

}

Vulnerability Details

Static mappings do not account for balance changes that occur outside of direct transfers, such as those caused by rebasing events or airdrops. This limitation can create edge cases, such as the partial inability to fulfill user withdrawals during negative rebase events.

Impact

Assume the following sequence of events:

Bob creates an ask offer for 1000 points setting an amount of 1e18 token A. A being a rebasing token such that its price targets the CPI adjusted dollar.
Alice takes the offer and the 1e18 are added into Bob's mapping.
After some time a negative rebasing event occurs and Bob decides to withdraw the sale proceeds by calling TokenManager::withdraw. The contract tries to send Bob the 1e18 tokens obtained from the sale, however due to the negative rebase, the contract's token balance is actually smaller, therefore the function call reverts and Bob will have to wait until other users replenish the balance by creating offers using the same token.

Tools Used

Manual review.

Recommendations

Given the structure of the current codebase, I recommend not whitelisting tokens that could lead to asset loss for users.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-TokenManager-FOT-Rebasing

Valid medium, there are disruptions to the ability to take market actions. The following functions will be disrupted without the possibiliy of reaching settlement, since the respective offers cannot be created/listed regardless of mode when transferring collateral token required to the CapitalPool contract or when refunding token from user to capital pool during relisting. So withdrawal is not an issue - `createOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L96-L102) - `listOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L355-L362) - `relistOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L515-L521) - `createTaker()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L831-L836) I believe medium severity is appropriate although the likelihood is high and impact is medium (only some level of disruption i.e. FOT tokens not supported and no funds at risk)

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.