Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unnecessary max approve puts node delegator assets at risk #266

Closed
c4-submissions opened this issue Nov 14, 2023 · 4 comments
Closed

Unnecessary max approve puts node delegator assets at risk #266

c4-submissions opened this issue Nov 14, 2023 · 4 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-70 grade-b insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/NodeDelegator.sol#L45

Vulnerability details

Impact

In NodeDelegator.sol, the only method to deposit assets into an EigenLayer Strategy requires the MANAGER role to call maxApproveToEigenStrategyManager(address) which approves the maximum allowance of an asset to an EigenLayer strategy. This allowance stays at the maximum and cannot be updated or revoked.

https://github.com/code-423n4/2023-11-kelp/blob/main/src/NodeDelegator.sol#L45

If any vulnerability is found in a particular EigenLayer strategy that takes advantage of this allowance, all assets deposited to a node delegator are at risk.

This is medium severity due to having an external requirement in EigenLayer.

Proof of Concept

  1. Admin adds a node delegator https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
  2. MANAGER of NodeDelegator calls maxApproveToEigenStrategyManager(address) https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
  3. Configured EIGEN_STRATEGY_MANAGER contract has full allowance of asset held by NodeDelegator. A vulnerability in this contract could put all assets at risk

Tools Used

Manual review

Recommended Mitigation Steps

A potential mitigation is to only approve the amount needed at the time of deposit.

Current:
https://github.com/code-423n4/2023-11-kelp/blob/main/src/NodeDelegator.sol#L67

function depositAssetIntoStrategy(address asset)
        external
        override
        whenNotPaused
        nonReentrant
        onlySupportedAsset(asset)
        onlyLRTManager
    {
        ...
        IEigenStrategyManager(eigenlayerStrategyManagerAddress).depositIntoStrategy(IStrategy(strategy), token, balance);
    }

Recommended:

```solidity
function depositAssetIntoStrategy(address asset)
        external
        override
        whenNotPaused
        nonReentrant
        onlySupportedAsset(asset)
        onlyLRTManager
    {
        ...
        token.approve(eigenlayerStrategyManagerAddress, balance);
        IEigenStrategyManager(eigenlayerStrategyManagerAddress).depositIntoStrategy(IStrategy(strategy), token, balance);
    }

Assessed type

ERC20
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 14, 2023
c4-submissions added a commit that referenced this issue Nov 14, 2023
@c4-submissions
codynhat issue #266
8d83914
@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Nov 16, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #70

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Nov 29, 2023
@c4-judge
Copy link
Contributor

fatherGoose1 changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as grade-b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-70 grade-b insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-submissions