stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Malicious attacker can set approval and transfer User Lock

okolicodes

Summary

A Malicious attacker can set themselves as an operator by calling the setApprovalForAll() function and transfer User Tokens/ Locks.

Vulnerability Details

By calling the setApprovalForAll() function, an attacker can set themselves up as the operator which will be updated in the operatorApprovals mapping and the isApprovedForAll() function returns the malicious operator stored in the mapping when called.

function setApprovalForAll(address _operator, bool _approved) external {

address owner = msg.sender;

if (owner == _operator) revert ApprovalToCaller();

operatorApprovals[owner][_operator] = _approved;

emit ApprovalForAll(owner, _operator, _approved);

}

function isApprovedForAll(address _owner, address _operator) public view returns (bool) {

return operatorApprovals[_owner][_operator];

}

As you can see below;
This isApprovedForAll() function is returned when isApprovedOrOwner() function is called as the function returns either the owner or the operator.

return (_spender == owner || isApprovedForAll(owner, _spender) || getApproved(_lockId) == _spender);

}

The isApprovedOrOwner() function is then used in the transferFrom() function to validate if an operator is approved before transferring Users lock.

function transferFrom(

address _from,

address _to,

uint256 _lockId

) external {

if (!_isApprovedOrOwner(msg.sender, _lockId)) revert SenderNotAuthorized();

_transfer(_from, _to, _lockId);

}

In this case, the check will pass and the malicious will be able to perform the transfer.

Impact

An attacker can easily transfer a user lock which is not intended design

Tools Used

Manual code review

Recommendations

Grant "only" the msg.sender (the owner of the lock id) access to the setApprovalForAll() function

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.