Excess Token Approvals Remain After Proportional Liquidity Addition
Summary
The _addLiquidityProportional function does not provide an option to revoke remaining token approvals after deposits. Since the function calculates exact BPT out but not exact tokens in, users who want to limit their token approvals cannot do so effectively, potentially leaving excess approvals that could be exploited if the pool is compromised.
Vulnerability Details
The issue arises because:
Users specify exact BPT out but cannot specify exact tokens in
The actual amount of tokens required is calculated by the pool
Users must approve more tokens than may be needed
Without user intervention excess approvals remain active indefinitely
This is particularly problematic for users who intentionally set specific approval amounts as a security measure, rather than providing unlimited approvals.
Impact
Loss of funds
If the pool contract is compromised, an attacker could exploit the remaining token approvals to drain additional funds from users who intended to only approve the exact amount needed for their deposit.
Tools Used
Manual Review
Recommendations
Add an optional parameter to revoke remaining approvals:
This allows:
Users who want unlimited approvals can set
revokeRemainingApproval = falseUsers who want exact approvals can set
revokeRemainingApproval = trueMaintains flexibility while improving security for users who want stricter approval controls
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.