The updateAssetAllowance
function uses msg.sender
directly to call the approve
function of the asset token contract.
The updateAssetAllowance
function uses msg.sender
directly to call the approve
function of the asset token contract. This could potentially allow a malicious user to call the updateAssetAllowance
function and approve the asset token for their own address, rather than the MarketMakingEngine
contract.
High. A malicious user could approve the asset token for their own address, potentially leading to unauthorized access and misuse of the asset token.
Manual code review and analysis.
Use the marketMakingEngine
address stored in the ZlpVaultStorage
struct to call the approve
function, rather than msg.sender
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.