Malicious Approval Consumption

A vulnerability which gets exploited every few months and results in millions of $ stolen.

This vulnerability was yesterday actively exploited in the @SenecaUSD

Protocol, highlighting the persistent threat it poses to smart contract security. However, unfortunately it happens every few months.

We can do better and here’s a writeup that will help you finding such an issue in future

Understanding Malicious Approval Consumption

At its core, malicious approval consumption involves an attacker exploiting existing approvals granted to a contract. By invoking the transferFrom function on behalf of the contract, the attacker can illicitly transfer assets from victims. This mechanism is surprisingly simple yet highly effective, making it a favored approach among malicious actors.

Common Scenarios of Exploitation

Three primary scenarios illustrate how attackers execute this exploit:

Unguarded Arbitrary Call:

This scenario allows an attacker to exploit an unguarded function to make arbitrary calls. For example, if a contract, inadvertently allows unrestricted calls, an attacker could call USDC.transferFrom or USDC.transfer (if the contract holds funds) to siphon assets. This lack of safeguards often stems from oversight and is a frequent cause of security breaches. This is what happened yesterday to @SenecaUSD.

Guarded Function which is not-so-guarded:

In some cases, even functions with some level of protection can be exploited. A notable example is the exploit that happened to the @SushiSwap router, months ago, uncovered by @trust__90, where the absence of specific checks (like pair validation) allowed attackers to misuse the transferFrom function with arbitrary addresses.

These exploits are more sophisticated and require a deeper understanding of the contract's logic to execute.

Unguarded Delegatecall:

Delegatecall, if improperly guarded, can open up contracts to severe vulnerabilities. This was the case in a live protocol I audited 1-2 months ago, where an unguarded delegatecall allowed an attacker to execute any functionality, exploiting existing approvals.

The @0xPaladinSec team successfully mitigated this issue within minutes and assisted the client in redeploying their router with the corresponding fix. Special thanks to @paladin_marco for acting promptly.

Such vulnerabilities are particularly dangerous as they grant attackers wide-ranging control over the contract's execution.

Regardless of the specific root-cause, attackers will always follow the same pattern:

To identify contracts with existing approvals and drain the victims' assets.
This tactic underscores the importance of rigorous and repetitive audits, even the smallest update must be checked by multiple auditors. Especially now with the bull market knocking on the door.

Mitigation Strategies

For developers and auditors, understanding and identifying these vulnerabilities is crucial. When auditing contracts, especially those involving routers or approval mechanisms, here are some key considerations:

Guard Against Arbitrary Calls: Ensure that functions cannot be exploited to make unintended calls. Use explicit permission checks and validate inputs rigorously.

Validate Pairings and Addresses: Implement checks to strictly validate input parameters, specifically for such routers that are implementing callback logic.

Secure Delegatecall Use: Be cautious with delegatecall, ensuring it's used in a controlled manner, with explicit safeguards against unauthorized execution. Try to avoid delegatecalls if possible.

Malicious approval consumption remains a potent threat to smart contract security, as evidenced by its recent exploitation in the @SenecaUSD Protocol. By understanding the nuances of this exploit and implementing robust security measures, developers can fortify their contracts against such vulnerabilities. Vigilance, thorough auditing, and a deep understanding of smart contract mechanics are essential in the ongoing battle against malicious actors.