Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unconventional Use of Allowance in unregister Function May Cause User Confusion and Potential Security Risks

gaurav11018

Summary

In the LLMOracleRegistry contract, the unregister function increases the user's token allowance instead of directly transferring the staked tokens back to the user upon unregistration. This unconventional approach may confuse users and introduces potential security risks due to misuse of the ERC20 approve and transferFrom functions.

Vulnerability Details

Contract: LLMOracleRegistry

Function: unregister

function unregister(LLMOracleKind kind) public returns (uint256 amount) {
amount = registrations[msg.sender][kind];
// ensure the user is registered
if (amount == 0) {
revert NotRegistered(msg.sender);
}
// unregister the user
delete registrations[msg.sender][kind];
emit Unregistered(msg.sender, kind);
// approve its stake back
token.approve(msg.sender, token.allowance(address(this), msg.sender) + amount);
}

Explanation

Current Behavior:

  • When a user calls unregister, the contract deletes their registration and increases their allowance to spend tokens from the contract's balance by the amount they had staked.
    The user must then manually call transferFrom on the token contract to retrieve their staked tokens.
    Issues with Current Implementation:

  • User Confusion:
    Users may not realize they need to perform an additional step (calling transferFrom) to retrieve their tokens.
    This deviates from the standard expectation that tokens are automatically returned upon unregistration.
    Security Risks:
    If the user has authorized other addresses to spend tokens on their behalf, those addresses could withdraw the tokens from the contract without the user's consent.
    The ERC20 approve function has known vulnerabilities, such as the allowance race condition.
    ERC20 Standard Misuse:
    Using approve in this manner is unconventional and can lead to unexpected behavior.
    It violates best practices for interacting with ERC20 tokens.

Impact
Severity:Low

  • User Experience:

    • Potential confusion leading to users believing their tokens are lost or inaccessible.

    • Increased complexity in retrieving staked tokens may result in user errors.

  • Security:

    • Risk of unauthorized withdrawal of tokens if the user's account is compromised or if they've granted allowances to malicious contracts.

  • Compliance:

    • Deviates from standard ERC20 token interaction practices, potentially causing compatibility issues with wallets and other contracts.

Tools Used

Manual review

Recommendations

Modify the unregister Function to Transfer Tokens Directly
Replace the allowance increase with a direct token transfer to the user. This aligns with standard practices and enhances both security and user experience.
And ofcourse use the re-entrancy guard from openzepellin

function unregister(LLMOracleKind kind) public nonReentrant returns (uint256 amount) {
amount = registrations[msg.sender][kind];
// ensure the user is registered
if (amount == 0) {
revert NotRegistered(msg.sender);
}
// unregister the user
delete registrations[msg.sender][kind];
emit Unregistered(msg.sender, kind);
// transfer the staked tokens back to the user
bool success = token.transfer(msg.sender, amount);
require(success, "Token transfer failed");
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.