Skip to content
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.

wzrdk3lly - Approve function vulnerable to frontrunning attack #218

Closed
sherlock-admin opened this issue May 5, 2023 · 0 comments
Closed

wzrdk3lly - Approve function vulnerable to frontrunning attack #218

sherlock-admin opened this issue May 5, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented May 5, 2023
edited by github-actions bot
Loading

wzrdk3lly

medium

Approve function vulnerable to frontrunning attack

Summary

Approved escrow tokens are subject to front-run attack because the approve function doesn't account for an allowance already spent by the spender. In the event where the spender has spent the amount, the approve function will approve a new amount.

Vulnerability Detail

The spender can front-run new approvals and spend their current allowance + the new allowance granted by the token owner.

Let's take the example where Alice approves Bob the ability to spend an allowance of N tokens.

  1. After approving Bob an allowance of N tokens, Alice decides she wants to change N to M.
  2. Bob can front run the approve(M) transaction by first spending his N tokens, and then waiting until after approve(M) succeeds to spend an additional amount of M tokens.
  3. In this scenario Bob has successfully taken N more tokens than Alice intended.

Impact

A user can steal another user's token by frontrunning approvals.

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L75-L81

Tool used

Manual Review

Recommendation

The recommendation is to use OpenZeppelin's increaseAllowance and decreaseAllowance. See details here:

https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#ERC20-increaseAllowance-address-uint256-
https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#ERC20-decreaseAllowance-address-uint256-

Duplicate of #8
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 10, 2023
@sherlock-admin sherlock-admin added Medium A valid Medium severity issue Reward A payout will be made for this issue and removed High A valid High severity issue labels May 22, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Jun 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin