Dria

Summary

In the LLMOracleRegistry contract, the unregister function is designed to remove an oracle's registration and return the staked tokens to the oracle. However, instead of transferring the staked tokens directly back to the user, the function erroneously calls:

This line increases the ERC20 token allowance for the user (msg.sender) to spend tokens from the registry's balance. Specifically, it adds the staked amount to the existing allowance rather than transferring the tokens outright. Consequently, users are granted the ability to transfer tokens from the registry contract using transferFrom, but the tokens remain in the registry unless the user actively initiates the transfer.

Vulnerability Details

• The oracle calls the unregister function, which deletes their registration and emits the Unregistered event.

• Instead of transferring the staked tokens back, the function increases the allowance for the oracle to spend tokens from the registry by calling token.approve(msg.sender, token.allowance(address(this), msg.sender) + amount).

• The oracle, having an increased allowance, can now call transferFrom to move the approved amount of tokens from the registry to their own address.

• Alternatively, if the oracle is compromised, an attacker could use the allowance to drain tokens from the registry without the oracle's consent.

Impact

The vulnerability primarily relies on the oracle being compromised or acting maliciously. Since oracles are assumed to be trusted entities within the protocol, the likelihood of such exploitation is minimal.

Tools Used

Manual Review

Recommendations

Modify the unregister function to transfer the staked tokens directly back to the user instead of adjusting allowances.