Skip to content

fix(diem-staking): approve exact stake amount instead of unlimited DIEM allowance#595

Closed
Augustas11 wants to merge 1 commit into
AntSeed:mainfrom
Augustas11:fix/BUG-155-bounded-diem-allowance
Closed

fix(diem-staking): approve exact stake amount instead of unlimited DIEM allowance#595
Augustas11 wants to merge 1 commit into
AntSeed:mainfrom
Augustas11:fix/BUG-155-bounded-diem-allowance

Conversation

@Augustas11
Copy link
Copy Markdown
Contributor

@Augustas11 Augustas11 commented May 21, 2026

Summary

  • Replaces maxUint256 in useApproveDiem with the precise amount the user is staking (parseEther(amountDiem))
  • Updates the StakeCard.tsx call-site to pass props.amt through to the hook
  • Removes the now-unused maxUint256 import from viem

Why

Unlimited ERC-20 allowances are a known blast-radius amplifier. If the staking proxy is ever upgraded with a bug or a key is compromised, a standing maxUint256 approval gives an attacker full access to every user's DIEM balance. Approving exactly the stake amount eliminates that risk. Users will now see "Approve X DIEM" in their wallet instead of "Approve unlimited".

Test plan

  • Typecheck passes (pnpm --filter diem-staking exec tsc --noEmit) — verified clean locally
  • Approve button flow: enter an amount, click Approve DIEM, confirm wallet shows the specific amount (not unlimited), allowance refetches, Stake button becomes active
  • Stake-without-prior-allowance regression: fresh wallet session shows approve step correctly
  • No test suite exists for apps/diem-staking yet — a Wagmi-mock unit test asserting approve receives parseEther(amount) rather than maxUint256 is a recommended follow-up

Fixes BUG-155.

Generated with Claude Code

@Augustas11 @claude
fix(diem-staking): approve exact stake amount instead of unlimited DI…
f1f2608 
…EM allowance

Replaces maxUint256 approval in useApproveDiem with the exact amount the user
is about to stake. Users now see an "Approve X DIEM" wallet prompt rather than
an unlimited allowance request — safer if the staking proxy is ever upgraded
or compromised. One approve per stake operation is the accepted best practice.

Fixes BUG-155.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kotevcode kotevcode closed this May 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Augustas11 @kotevcode