Closed sherlock-admin closed 1 year ago
supernova
high
The approve function allows the caller to make the contract approve the target with arbitrary amount of tokens.
Also , payable allows sending value to the contract , which is not accounted ,thereby resulting in permanent loss of funds
payable
This allows anyone to sweep all the ERC20 balance of the contract .
https://github.com/sherlock-audit/2022-11-sense/blob/main/contracts/src/RollerPeriphery.sol#L100-L102
Manual Review
The approve function should be called either in the constructor , or governed by a multisig.
Duplicate of #48
supernova
high
Anybody can make RollupPeriphery approve unlimited amount of ERC20 tokens
Summary
The approve function allows the caller to make the contract approve the target with arbitrary amount of tokens.
Also ,
payableallows sending value to the contract , which is not accounted ,thereby resulting in permanent loss of fundsVulnerability Detail
Impact
This allows anyone to sweep all the ERC20 balance of the contract .
Code Snippet
https://github.com/sherlock-audit/2022-11-sense/blob/main/contracts/src/RollerPeriphery.sol#L100-L102
Tool used
Manual Review
Recommendation
The approve function should be called either in the constructor , or governed by a multisig.
Duplicate of #48