Submission Details
Severity:
Unsafe Max Approve
Summary
For safety reasons It's not recommended to approve type(uint256).max . We should approve a relevant amount every time.
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L2TokenReceiver.sol#L143
TransferHelper.safeApprove(newParams_.tokenIn, router, type(uint256).max);
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L2TokenReceiver.sol#L144
TransferHelper.safeApprove(newParams_.tokenIn, nonfungiblePositionManager, type(uint256).max);
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L2TokenReceiver.sol#L146
TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L1Sender.sol#L76
IERC20(unwrappedToken_).approve(newToken_, type(uint256).max);
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/L1Sender.sol#L95
IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.