Tadle

DeFi

30,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Residual Allowance Might Allow Tokens In CapitalPool To Be Stolen

air

Summary

Whenever TokenManager.tillIn() function is called to tranfer native tokens or ethers to the Capital Pool , the contract will call the Capitalpool.approve() function to set the allowance to type(uint256).max so that IWrappedNativeToken contact can pull the payment tokens from the users contract during during creating of offer.

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L24

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L32

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L233

Type(uint256).max is the maximum amount of payment tokens that is allowed to be transfered during trades. However ,this is not the actual amount tokens transerred during the transfer process. Thus, after the transfer, there will definitely be some residual allowance since it is unlikely that the IWrappedNativeToken contract will transfer the exact maximum amount during trades.

Impact

Having residual allowance increases the risk of the asset tokens being stolen from the CapitalPool.

The CapitalPool contract is where all the tokens/assets are held. If the IWrappedNativeToken contract is compromised, it will allow the compromised IWrappedNativeToken contract to withdraw funds from the CapitalPool contract due to the residual allowance.

Note that IWrappedNativeToken contract is not totally immutable, as it is a upgradeable contract. This is an additional risk factor to be considered. If the deployer account is compromised, the attacker could upgrade the IWrappedNativeToken contract to a malicious one to withdraw funds from the CapitalPool contract due to the residual allowance.

Since approval is set to type(uint256).max, this will result in large amount of residual allowance left, and expose the CapitalPool contract to significant risk.

Tools Used

Manual Review

Recommendations

Approve the allowance on-demand whenever TokenManager. _transfer() is called, and reset the allowance back to zero after each transfer process to eliminate any residual allowance.

Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Other

Assigned finding tags:

[invalid] finding-CapitalPool-USDT-approve-zero-first

I believe this is invalid, - For weird ERC20s with front-running approval protection such as UDST (only known instance so far), max approval is likely only required to be invoked once, considering the supply cap of such tokens. (USDT supply is at 53.8 billion (53.8e9 * 1e9, so this is 100% sufficient) - If approvals are insufficient, a new proxy for tadle market can always be deployed via the TadleFactory contract and migrated

Prize pool breakdown

Total prize

30,000 USDC

nSLOC

1,229

24 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.