Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: medium
Invalid

Unlimited Token Allowance to Trusted Entities

Summary

The BuyerAgent is currently required to grant maximum token allowances to both the "swan" contract and the "coordinator." This practice exposes all tokens to the risk of being drained if either entity is compromised and it's in general a very bad practice.

Vulnerability Details

Whenever a user creates a BuyerAgent, the agent automatically allocates maximum allowances for tokens to both the "swan" contract and the "coordinator." While this design may streamline transactions, it poses significant risks. If either the swan or the coordinator becomes controlled by a malicious actor, all token funds within the BuyerAgent could be drained.

Impact

Medium. Although the swan and coordinator are assumed to be trusted entities, any compromise—whether through malicious actions or hacking—could result in the total loss of token funds held within the BuyerAgent.

Tools Used

Manual review.

Recommendations

Implement a mechanism that allows the BuyerAgent owner to adjust the token allowances for the swan and coordinator. This change would provide the agent owner with greater control over their funds, enhancing security and minimizing potential losses.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

gabidev Submitter
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.