Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unrecoverable Excess ETH Locked in tillIn Function Due to Improper Value Handling

waydou

Summary

The tillIn function in the TokenManager contract has a critical issue where excess ETH sent with a transaction is permanently locked in the contract without any mechanism for refund or recovery. This issue can lead to significant losses for users who mistakenly send more ETH than required. The function only checks if msg.value is less than _amount, but does not handle cases where msg.value is greater, resulting in excess ETH being trapped in the contract.

Vulnerability Details

The tillIn function allows users to deposit native tokens (ETH) or ERC20 tokens into the contract. For native tokens, the function checks if msg.value is less than _amount and reverts if it is, ensuring that users provide enough ETH for the deposit. However, there are several key issues:

Excess ETH Locking: The function does not check if msg.value is greater than _amount, which means any excess ETH sent with the transaction is locked in the contract. The excess amount is not returned to the sender, nor is there a mechanism to withdraw it.
No Refund Mechanism: Once excess ETH is sent to the contract, it is unrecoverable, leading to a potential loss of funds. Users have no way to retrieve the locked ETH, which could result in significant financial losses, especially if large amounts are mistakenly sent.
ERC20 Transactions: For ERC20 token transactions, any ETH sent with the transaction is also locked in the contract. Although the function correctly handles the transfer of ERC20 tokens, it does not account for any ETH sent alongside the transaction, leading to potential value loss.

Impact

The function tillIn is called for exampe in the function listOffer that takes in argument the _amount but call tillIn with transferAmount this means that the possibilty that msg.value is over transferAmount is not low. for a premarket with high trading volume, this will result in a significant amount of tokens locked overtime.

Tools Used

Manual Review

Recommendations

Refund Excess ETH: Add a mechanism to refund any excess ETH back to the sender. This can be achieved by subtracting _amount from msg.value and transferring the difference back to the sender while respecting CEI to avoid any reentrancy issues.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

[invalid] finding-TokenManager-tillin-excess

Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.