Unnecessary ERC20 Approval to `IGatewayRouter(newGateway_).getGateway(newToken_)` in `L1Sender` Contract
Summary
The L1Sender smart contract includes a line of code that sets an unlimited allowance for the gateway contract associated with the newToken_ using IERC20(newToken_).approve(IGatewayRouter(newGateway_).getGateway(newToken_), type(uint256).max);. This approval is intended to allow the gateway contract to transfer newToken_ on behalf of L1Sender.
However, the IGatewayRouter(config.gateway).outboundTransfer function, which is called later in the contract, is used only to send a message and does not require the transfer of any ERC20 tokens. This makes the unlimited approval unnecessary and introduces a potential security risk.
Vulnerability Details
The contract grants an unlimited allowance to the gateway contract without a clear need for transferring tokens. The outboundTransfer function's purpose, as used in the contract, is to send a message rather than to perform token transfers. The presence of this approval suggests a misunderstanding of the gateway contract's functionality or an oversight in the contract's design.
Affected Code
Impact
The unnecessary approval exposes the L1Sender contract to risks if the gateway contract is compromised. An attacker could exploit this approval to transfer the entirety of the newToken_ balance from the L1Sender contract to an unauthorized address, potentially leading to a significant loss of funds.
Tools Used
Manual review
Recommendations
Remove Unnecessary Approvals: The
outboundTransferfunction does not require transferring ERC20 tokens, the approval setting an unlimited allowance should be removed to eliminate the associated risks.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.