Submission Details
Severity:
Permanently locked funds in the registry contract
Summary
In order to register an oracle user must call LLMOracleRegistry::register(), provide the oracle type and stake some tokens in the registry. However when the user wants to remove the registration his funds are not transfered back to him.
Vulnerability Details
function register(LLMOracleKind kind) public {
...
// ensure the user has enough allowance to stake
if (token.allowance(msg.sender, address(this)) < amount) {
revert InsufficientFunds();
}
@> token.transferFrom(msg.sender, address(this), amount);
...
}
function unregister(LLMOracleKind kind) public returns (uint256 amount) {
amount = registrations[msg.sender][kind];
// ensure the user is registered
if (amount == 0) {
revert NotRegistered(msg.sender);
}
// unregister the user
delete registrations[msg.sender][kind];
emit Unregistered(msg.sender, kind);
// approve its stake back
token.approve(msg.sender, token.allowance(address(this), msg.sender) + amount);
}
Here we can see that the amount is only approved, but lacks transfer functionality. Generally the registry contract lacks functionality to
withdraw any funds from it. This will result in permanently locked funds.
Impact
Permanently locked funds
Tools Used
Manual Review
Recommendations
Implement a withdraw functionality
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.