stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

The `linkToken` and `sdlToken` contracts have an unrestricted approval for an unlimited amount by the `SDLPoolCCIPController` contract

0xVinylDavyl

Summary

The SDLPoolCCIPController contract exhibits a vulnerability related to unrestricted approval for LINK and SDL tokens. Both the linkToken and sdlToken contracts are approved for an unlimited amount, potentially exposing the contract to unauthorized transfers.

Vulnerability Details

In the SDLPoolCCIPController contract, there is a lack of restriction on the approval amounts for the linkToken and sdlToken. The contracts are approved for the maximum possible amount, which could be exploited by attackers to perform unauthorized transfers on behalf of the SDLPoolCCIPController contract.

The vulnerability stems from the lack of restriction on approval amounts for linkToken and sdlToken in the SDLPoolCCIPController contract.

// SPDX-License-Identifier: MIT

pragma solidity 0.8.15;

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

abstract contract SDLPoolCCIPController {

using SafeERC20 for IERC20;

IERC20 public immutable linkToken;

IERC20 public immutable sdlToken;

// ...

/**

* @notice Initializes the contract

* @param _router address of the CCIP router

* @param _linkToken address of the LINK token

* @param _sdlToken address of the SDL token

* @param _sdlPool address of the SDL Pool

* @param _maxLINKFee max fee to be paid on an outgoing message

**/

constructor(

address _router,

address _linkToken,

address _sdlToken,

address _sdlPool,

uint256 _maxLINKFee

) {

linkToken = IERC20(_linkToken);

sdlToken = IERC20(_sdlToken);

// Unrestricted approval for both linkToken and sdlToken

linkToken.approve(_router, type(uint256).max);

sdlToken.approve(_router, type(uint256).max);

}

// ...

}

In the constructor, both linkToken and sdlToken are approved with the maximum possible allowance (type(uint256).max). This means that any address can transfer an unlimited amount of tokens on behalf of the SDLPoolCCIPController contract.

Impact

The impact of this vulnerability is significant, as it allows attackers to potentially misuse the unlimited approval to transfer LINK and SDL tokens without proper authorization. This could lead to unauthorized token transfers, causing financial losses or disruptions in the intended functionality of the contract.

Tools Used

VsCode / Manual

Recommendations

Limit the approval amounts for both linkToken and sdlToken to the necessary values. Only approve the amounts required for the intended operations. Implement a controlled approval mechanism to minimize the risk of unauthorized transfers and enhance the security of the SDLPoolCCIPController contract.

To address the vulnerability of unrestricted approval for linkToken and sdlToken in the SDLPoolCCIPController contract, it is crucial to implement input validation and limit the approval amounts.

Modify the constructor to include input validation checks for the _linkToken and _sdlToken addresses.
Ensure that the provided addresses are valid ERC-20 token contracts before proceeding with approval.

require(_linkToken != address(0), "Invalid linkToken address");

require(_sdlToken != address(0), "Invalid sdlToken address");

then, instead of approving the maximum possible allowance, set specific approval amounts that align with the intended operations.
Define constants or variables to represent the approved amounts for both linkToken and sdlToken.

uint256 constant MAX_APPROVAL_AMOUNT = type(uint256).max;

linkToken.approve(_router, MAX_APPROVAL_AMOUNT); // Replace with specific approval amount

sdlToken.approve(_router, MAX_APPROVAL_AMOUNT); // Replace with specific approval amount

Review and Set Reasonable Approval Amounts:

Assess the contract's functionality to determine the maximum amounts needed for authorized operations.
Set approval amounts that align with the requirements of the Cross-Chain Interoperability Protocol (CCIP) and other functionalities.

// Example: Set approval amount based on the expected maximum usage

uint256 linkTokenApprovalAmount = calculateLinkTokenApprovalAmount();

linkToken.approve(_router, linkTokenApprovalAmount);

uint256 sdlTokenApprovalAmount = calculateSDLTokenApprovalAmount();

sdlToken.approve(_router, sdlTokenApprovalAmount);

Consider External Call Security:

Ensure that external calls and interactions with other contracts are conducted securely.
Implement proper access controls and validate external inputs to prevent unauthorized access or manipulation.

// Example: Validate external input before making an external call

require(reSDLTokenBridge != address(0), "reSDLTokenBridge not set");

IRESDLTokenBridge(reSDLTokenBridge).ccipReceive(_message);

Updates

Lead Judging Commences

0kage Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.