Unchecked Approval Status in `L1Vault` Smart Contract - Funds Locking Risk
Summary
The approveTo function in the L1Vault smart contract contains a low-risk issue where the return value of the approve function is not checked. Failing to verify the success of the approval operation may result in unexpected behavior, particularly in scenarios where the approval fails. This vulnerability could lead to a situation where funds sent to L1Vault become permanently inaccessible.
Vulnerability Details
The vulnerability arises from the lack of validation of the return value from the token.approve function in the approveTo function. In the context provided, if L1BossBridge calls approveTo and the approval operation returns false (indicating a failure), there is currently no mechanism in place for L1BossBridge to reattempt the approval. Consequently, all funds sent to L1Vault would remain locked, rendering them inaccessible.
Impact
The impact of this vulnerability is more significant when considering a scenario where the approval fails. If L1BossBridge cannot retry the approval, any funds intended for the L1Vault would be permanently locked, leading to a loss of access to those funds.
Proof of Concept
Tools Used
Manual review
Recommendations
Check Return Value: Implement a check on the return value of the token.approve function within the approveTo function to ensure that the approval operation is successful. This helps prevent potential issues related to the allowance not being updated as expected.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.