Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Failure to Process Withdrawals with Restricted Addresses.

0xgenaudits

Summary

The system currently does not handle scenarios where a user's address is blacklisted properly.
This oversight can cause tokens to get stuck, leading to potential financial loss or inability
for users to withdraw their assets.

Vulnerability Details

The current system fails to manage token withdrawals effectively when the target address is blacklisted.
the system does not provide a solution for blacklisted addresses, as a result user will not be able to withdraw tokens.

File: https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/TokenManager.sol#L175-L180

function withdraw(
address _tokenAddress,
TokenBalanceType _tokenBalanceType
) external whenNotPaused {
// ...
if {
// ...
} else {
// @audit _msgSender() returns msg.sender.
_safe_transfer_from(
_tokenAddress,
capitalPoolAddr,
@>>> _msgSender(),
claimAbleAmount
);
}
// ...
}
function _safe_transfer_from(address token, address from, address to, uint256 amount) internal {
(bool success, ) = token.call(
@>>> abi.encodeWithSelector(TRANSFER_FROM_SELECTOR, from, to, amount)
);
if (!success) revert TransferFailed();
}

Impact

User will not be able to withdraw funds.

Tools Used

Recommendations

- function withdraw(address _tokenAddress, TokenBalanceType _tokenBalanceType) external whenNotPaused {
+ function withdraw(address _tokenAddress, TokenBalanceType _tokenBalanceType, address receiver) external whenNotPaused {
// ...
if (_tokenAddress == wrappedNativeToken) {
// ...
} else {
- _safe_transfer_from(_tokenAddress, capitalPoolAddr, _msgSender(), claimAbleAmount);
+ _safe_transfer_from(_tokenAddress, capitalPoolAddr, receiver, claimAbleAmount);
}
}
Updates

Lead Judging Commences

0xnevi Lead Judge
11 months ago
0xnevi Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.