Token approvals are not always completely used, leading to excess approvals
Summary
Token approvals from LiquidationPoolManager to LiquidationPool are not always completely used, leading to a buildup of excess approvals.
Vulnerability Description
In LiquidationPoolManager::runLiquidation(), it approves it's ERC20 balance of liquidated assets to the LiquidationPool contract:
In the LiquidationPool contract, it transfers _portion from the pool manager:
However, the sum of all _portion for every holder is not always equal to the erc20balance that was approved.
This is because the portion of a given stakeholder is sometimes reduced if they dont have enough EUROs:
Hence, the approvals are not completely used, so excess approvals build up over time.
Impact
In the future- if there are tokens which are used to distribute fees but also used as collateral, then this would result in a critical vulnerability since any user would be able to call distributeAssets() with malicious input parameters to exploit the excess approvals, and steal funds that were meant to be distributed in distributeFees().
Recommended Mitigation
Consider removing approvals at the end of the runLiquidation function, via ERC20::decreaseAllowance()
Or consider adding access control to distributeAssets and this would be even less of a risk.
Lead Judging Commences
pool-approval
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.