[M-01] APPROVING MAXIMUM VALUE in NodeDelegator contract #153
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-70
edited-by-warden
grade-b
insufficient quality report
This report is not of sufficient quality
Q-113
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
c4-submissions
added
2 (Med Risk)
|
raymondfam marked the issue as duplicate of #70 |
|
raymondfam marked the issue as insufficient quality report |
c4-pre-sort
added
the
insufficient quality report
c4-judge
added
downgraded by judge
|
fatherGoose1 changed the severity to QA (Quality Assurance) |
|
fatherGoose1 marked the issue as grade-b |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/NodeDelegator.sol#L35-L46
Vulnerability details
Impact
The function maxApproveToEigenStrategyManager was detected to be using the maximum value for the approval amount in the NodeDelegator contract.
This is a malicious behavior and should be discouraged.
Proof of Concept
Vulnerable maxApproveToEigenStrategyManager function
/// @notice Approves the maximum amount of an asset to the eigen strategy manager /// @dev only supported assets can be deposited and only called by the LRT manager /// @param asset the asset to deposit function maxApproveToEigenStrategyManager(address asset) external override onlySupportedAsset(asset) onlyLRTManager { address eigenlayerStrategyManagerAddress = lrtConfig.getContract(LRTConstants.EIGEN_STRATEGY_MANAGER); IERC20(asset).approve(eigenlayerStrategyManagerAddress, type(uint256).max); }Tools Used
VS Code.
Recommended Mitigation Steps
Change the amount to be approved to a smaller amount.
And utilise safeIncreaseAllowance or safeDecreaseAllowance.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: