stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

No way to revoke approval in the SDLPool might lead to unauthorized calling transfer of locks.

zanybonzy

Summary

There is no way to revoke the approval which given via the approvefunction
They may able execute transfers even after the owner revokes their permission using the setApprovalForAll function.

Vulnerability Details

The setApprovalForAll function allows the owner to approve anyone as the operator.

function setApprovalForAll(address _operator, bool _approved) external {

address owner = msg.sender;

if (owner == _operator) revert ApprovalToCaller();

operatorApprovals[owner][_operator] = _approved;

emit ApprovalForAll(owner, _operator, _approved);

}

In the same vein, the approve function allows the owner or operator to approve anyone to transfer the lock.

function approve(address _to, uint256 _lockId) external {

address owner = ownerOf(_lockId);

if (_to == owner) revert ApprovalToCurrentOwner(); //@note

if (msg.sender != owner && !isApprovedForAll(owner, msg.sender)) revert SenderNotAuthorized();

tokenApprovals[_lockId] = _to;

emit Approval(owner, _to, _lockId);

}

Note that in the function, lock cannot be approved to the owner (but can be approved to any of the operators), and can be called by the owner/operator (see the isApprovedForAll modifier).

If the operator approves himself to the lock, using the approve function, and later on, his operator status gets revoked, his lock approval status is not cleared, meaning he still has access to the lock.

As an extreme example

User1 owns 5 locks.

He calls the setApprovalForAll setting User2 as his operator.

User2 calls the approve function on all 5 locks (It succeeds as there's no check preventing this unlike with the lock owner), getting herself both operator approval and token approvals.

User1 revokes User2's operator status.

User2 still has access to the locks and can transfer them.

Impact

Uncleared approval, gives access to transfer token.

Tools Used

Manual code review

Recommendations

Include a check to see if the _to in the approve function is an operator, revert if it is.
Or clear an operator's token approvals after revoking his operator status.

Updates

Lead Judging Commences

0kage Lead Judge

over 1 year ago

0kage Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

operator-approval

Operator assigning approval to himself via approve()

innertia Auditor

over 1 year ago

innertia Auditor

over 1 year ago

Choklox Auditor

over 1 year ago

innertia Auditor

over 1 year ago

ElHaj Auditor

over 1 year ago

0kage Lead Judge

over 1 year ago

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.