The BuyerAgent is currently required to grant maximum token allowances to both the "swan" contract and the "coordinator." This practice exposes all tokens to the risk of being drained if either entity is compromised and it's in general a very bad practice.
Whenever a user creates a BuyerAgent, the agent automatically allocates maximum allowances for tokens to both the "swan" contract and the "coordinator." While this design may streamline transactions, it poses significant risks. If either the swan or the coordinator becomes controlled by a malicious actor, all token funds within the BuyerAgent could be drained.
Medium. Although the swan and coordinator are assumed to be trusted entities, any compromise—whether through malicious actions or hacking—could result in the total loss of token funds held within the BuyerAgent.
Manual review.
Implement a mechanism that allows the BuyerAgent owner to adjust the token allowances for the swan and coordinator. This change would provide the agent owner with greater control over their funds, enhancing security and minimizing potential losses.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.