The contract grants maximum possible allowances (type(uint256).max)
of LinkToken
and SDLToken
to the _router. This practice can lead to catastrophic consequences if the _router
is compromised
. Attackers could exploit this unlimited access to drain funds from the contract.
Code snippets:
A compromised _router
could drain the entire contract's holdings of LinkToken
and SDLToken
.
Manual Review
Modify the code to approve only the exact amounts of tokens required for specific transactions.
Same can be said if the owner of SDLCCIPController is compromised.
giving max approval is common in Web3 to avoid unnecessary gas, specially when the contract that has that max approval is also controlled by same owner.
Design choice with accepted risk.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.