Obedient Lava Monkey
Medium
withdrawETHWithPermit bypasses user-specified approval limits, enabling unauthorized full withdrawals.
The missing validation of permit for the actual amountToWithdraw in withdrawETHWithPermit will cause unauthorized withdrawals for users as malicious actors will exploit mismatched approval limits to withdraw the user's full balance.
In WrappedTokenGatewayV3.sol, the permit function validates approval for amount, but transferFrom is called with amountToWithdraw, potentially exceeding the user's intent.
When amount is set to type(uint256).max, the amountToWithdraw value is overridden to the user's full balance, regardless of the initial amount specified in the permit. This creates a mismatch between the permit approval (which is for amount) and the actual amountToWithdraw being processed.
- User signs a
permitforamount(e.g., limited approval). - User's
aWETHbalance is greater than or equal toamountToWithdraw. - Function input sets
amountto a lower value thanamountToWithdrawortype(uint256).max.
No restrictions are placed on amountToWithdraw being higher than the approved amount.
- Attacker calls
withdrawETHWithPermitwith:
amount == permit-limited approval.amountToWithdraw == user’s full aWETH balance.
- Contract calls
permitfor the lesseramount, successfully validating the signature. - Contract executes
transferFromwithamountToWithdraw, bypassing the intent of the user. - Excessive
aWETHis withdrawn and unwrapped into ETH for the attacker.
The user suffers a loss of their entire aWETH balance if amountToWithdraw exceeds their intended withdrawal limit. The attacker gains control of the withdrawn ETH.
Validate the permit approval for amountToWithdraw instead of amount by modifying permit parameters in WrappedTokenGatewayV3.sol`
Validate the permit approval for amountToWithdraw instead of amount by modifying permit parameters in WrappedTokenGatewayV3.sol