[H-2] ZlpVault::updateAssetAllowance Unlimited ERC20 Approval to MarketMakingEngine Enables Total Fund Drain
Summary
The zlpVault::updateAssetAllowance function grants unlimited token approval to the privileged MarketMakingEngine, creating a single point of failure for catastrophic fund loss. If the MarketMakingEngine is compromised, an attacker can drain all vault assets in one transaction.
Vulnerability Details
Affected Code:
}
The onlyMarketMakingEngine modifier restricts this function to the MarketMakingEngine contract. However, if this contract is compromised (e.g., via a private key leak or reentrancy exploit), an attacker can:
-
Call updateAssetAllowance(type(uint256).max) to grant unlimited approval.
-
Call transferFrom on the vault’s asset to drain all funds.
Exploit Scenario:
-
Attacker compromises the MarketMakingEngine contract.
-
Calls updateAssetAllowance(type(uint256).max) to grant unlimited approval.
-
Calls transferFrom(ZlpVault.address, attacker.address, totalAssets()) to drain all funds.
Impact
High Impact: All vault assets (LSTs/LRTs) can be stolen in one transaction.
High Likelihood: High-value protocols are prime targets for infrastructure compromise.
High Risk: Immediate and irreversible loss of LP funds.
Tools Used
Manual Review, foundry
Recommendations
Remove updateAssetAllowance and set fixed approvals during initialization. Example:
Implement a pull-based allowance system (e.g., permit safe increaseAllowance calls by LPs).
-
Use a whitelist for approved spenders.
-
Additional Context:
Unlimited approvals are a common anti-pattern in DeFi. They introduce unnecessary risk and should be avoided unless absolutely necessary.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.