Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

modifier for function updateAssetAllowance() is not suitable

zhanmingjing

Summary

modifier for function ZlpVault.sol#updateAssetAllowance() is not suitable

Vulnerability Details

During initialization, Allowance of assert is set to type(uint256).max for MarketMakingEngine. Then, only MarketMakingEngine is allowed to update AssetAllowance, and update his own allowance.

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/zlp/ZlpVault.sol#L215-L219

function updateAssetAllowance(uint256 amount) external onlyMarketMakingEngine {
// modifier `onlyMarketMakingEngine` ensures caller is market making engine
// so pass `msg.sender` directly to `approve` saving 1 storage read
IERC20(asset()).approve(msg.sender, amount);
}

As the MarketMakingEngine, there is no need to update the allowance of him to a lower value.

Impact

MarketMakingEngine could change his allowance value as he like, owner will lost some control of asset.

Tools Used

manually reviewed

Recommendations

change the modifier to onlyOwner.

function updateAssetAllowance(uint256 amount) external onlyOwner {
ZlpVaultStorage storage zlpVaultStorage = _getZlpVaultStorage();
IERC20(asset()).approve(zlpVaultStorage.marketMakingEngine, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.