Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 164/185
Findings: 1
Award: $2.76
š Selected for report: 0
š Solo Findings: 0
š Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
ā¢ Funds at risk: All tokens approved to the external contract could potentially be drained by a malicious contract. This puts user funds at risk of theft. The severity is high: ā¢ Critical severity: This approve-max pattern undermines the security model of ERC20 approvals. It gives unlimited access to external contracts, which is a critical security risk.
Approving the maximum amount of an ERC20 token to transfer could potentially be dangerous and lead to token theft. Here is a more detailed explanation: The key issue is in this code:
IERC20(asset).approve(eigenlayerStrategyManagerAddress, type(uint256).max);
This approves the EigenStrategyManager contract to transfer the maximum possible amount of the ERC20 token. The approve() function on ERC20 tokens allows a spender (in this case the EigenStrategyManager) to transfer up to a specified amount from the caller's account. By approving the maximum uint256 amount, it gives the EigenStrategyManager contract full control to transfer any and all of that token from the NodeDelegator's balance. This could be exploited by a malicious EigenStrategyManager contract that drains all the approved tokens into another account. Or if the EigenStrategyManager contract itself is compromised with a vulnerability, an attacker could drain the tokens
In summary, approving the maximum amount gives too much power to the spender contract and could lead to theft.
Manual
Only approve the exact amount needed for the deposit:
uint256 depositAmount = IERC20(asset).balanceOf(address(this)); IERC20(asset).approve(eigenlayerStrategyManagerAddress, depositAmount );
This restricts the approval to only the amount being deposited. Additionally, you could add a call to approve(0) after the deposit to fully revoke the approval:
IERC20(asset).approve(eigenlayerStrategyManagerAddress, 0);
This prevents any potential issues if the full approval amount was not used.
Other
#0 - c4-pre-sort
2023-11-16T07:05:28Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T07:05:36Z
raymondfam marked the issue as duplicate of #70
#2 - c4-judge
2023-11-29T19:28:16Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-29T19:29:10Z
fatherGoose1 marked the issue as grade-b