This repository has been archived by the owner on Sep 3, 2023. It is now read-only.
ast3ros - Approve and transferFrom functions of Pool tokens are subject to front-run attack. #154
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
ast3ros
high
# [H-02] Approve and transferFrom functions of Pool tokens are subject to front-run attack.
Summary
Approve
andtransferFrom
functions of Pool tokens are subject to front-run attack because theapprove
method overwrites the current allowance regardless of whether the spender already used it or not. In case the spender spent the amonut, theapprove
function will approve a new amount.Vulnerability Detail
The
approve
method overwrites the current allowance regardless of whether the spender already used it or not. It allows the spender to front-run and spend the amount before the new allowance is set.Scenario:
pool.approve
method, passing the Bob's address and N as the method argumentspool.approve
method again, this time passing the Bob's address and M as the method argumentspool.transferFrom
method to transfer N Alice's tokens somewhereBefore Alice noticed that something went wrong, Bob calls the
pool.transferFrom
method again, this time to transfer M Alice's tokens.Impact
It can result in losing pool tokens of users when he approve pool tokens to any malicious account.
Code Snippet
https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L284
https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L299
Tool used
Manual Review
Recommendation
Use
increaseAllowance
anddecreaseAllowance
instead of approve as OpenZeppelin ERC20 implementation. Please see details here:https://forum.openzeppelin.com/t/explain-the-practical-use-of-increaseallowance-and-decreaseallowance-functions-on-erc20/15103/4
The text was updated successfully, but these errors were encountered: