MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unnecessary ERC20 Approval to `IGatewayRouter(newGateway_).getGateway(newToken_)` in `L1Sender` Contract

0xaadhi

Summary

The L1Sender smart contract includes a line of code that sets an unlimited allowance for the gateway contract associated with the newToken_ using IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);. This approval is intended to allow the gateway contract to transfer newToken_ on behalf of L1Sender.

However, the IGatewayRouter(config.gateway).outboundTransfer function, which is called later in the contract, is used only to send a message and does not require the transfer of any ERC20 tokens. This makes the unlimited approval unnecessary and introduces a potential security risk.

Vulnerability Details

The contract grants an unlimited allowance to the gateway contract without a clear need for transferring tokens. The outboundTransfer function's purpose, as used in the contract, is to send a message rather than to perform token transfers. The presence of this approval suggests a misunderstanding of the gateway contract's functionality or an oversight in the contract's design.

Affected Code

IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);

https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/L1Sender.sol#L95

Impact

The unnecessary approval exposes the L1Sender contract to risks if the gateway contract is compromised. An attacker could exploit this approval to transfer the entirety of the newToken_ balance from the L1Sender contract to an unauthorized address, potentially leading to a significant loss of funds.

Tools Used

Manual review

Recommendations

Remove Unnecessary Approvals: The outboundTransfer function does not require transferring ERC20 tokens, the approval setting an unlimited allowance should be removed to eliminate the associated risks.

- function _replaceDepositTokenGateway(

- address oldGateway_,

- address newGateway_,

- address oldToken_,

- address newToken_

- ) private {

- bool isAllowedChanged_ = (oldToken_ != newToken_) || (oldGateway_ != newGateway_);

- if (oldGateway_ != address(0) && isAllowedChanged_) {

- IERC20(oldToken_).approve(IGatewayRouter(oldGateway_).getGateway(oldToken_), 0);

- }

- if (isAllowedChanged_) {

- IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);

- }

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.