Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double allowance spending when using the approve() function. #102

Closed
code423n4 opened this issue Sep 5, 2023 · 7 comments
Closed

Double allowance spending when using the approve() function. #102

code423n4 opened this issue Sep 5, 2023 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L276-L279

Vulnerability details

Impact

  • Malicious spenders could double spend from the owners if the owner decreases their allowance using the approve() function

Proof of Concept

  • If an owner wants to set the allowance of an spender to a new value (either remove or add more) and uses the rUSDY:allowance() function, it needs to send the value of the amount parameter set to the exact new allowance that the owner grants to the spender.

  • Let's take as example: UserA (owner) granted 1000 allowance to UserB (spender), and after some time, the owner decides to decrease the total allowance of UserB down to 250.

    • The spender realizes about the tx of the owner to decrease its allowance and frontruns that tx by sending a tx to spend all the existing allowance, so it transfersFrom the owner the currentAllowance, which is 1000.

    • After the spender tx was executed, the tx of the owner to decrease the spender's allowance is executed, and now the spender has been granted with another 250 extra allowance.

    • Now the spender goes ahead and sends another tx to spend the just recent increased allowance, and spends another 250 tokens from the owner.

      • The result is that the spender effectively spent 1250 tokens from the owner, when the owner only wanted to allow the spender to spend 250 tokens.
function approve(address _spender, uint256 _amount) public returns (bool) {
  //@audit-info => It will set the spender's allowance to the value of _amount!
  _approve(msg.sender, _spender, _amount);
  return true;
}

Tools Used

Manual Audit

Recommended Mitigation Steps

  • Deprecate the approve(), remove it from the contract. Leave only the increaseAllowance() and decreaseAllowance() functions.

Assessed type

ERC20
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 5, 2023
code423n4 added a commit that referenced this issue Sep 5, 2023
@code423n4
0xStalin issue #102
f4772ce
@raymondfam
Copy link

Caution users to use increaseAllowance() then.

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 8, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Sep 8, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

This was referenced Sep 8, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Sep 19, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as unsatisfactory:
Invalid

@stalinMacias
Copy link

@kirk-baird
Can I ask what is missing on my report for it to be marked as a low-quality report?

I considered the explanation provided in the PoC is self-explanatory about the issue I'm reporting, but, pls, let me know what do you think it was missing in the report

@kirk-baird
Copy link

@kirk-baird Can I ask what is missing on my report for it to be marked as a low-quality report?

I considered the explanation provided in the PoC is self-explanatory about the issue I'm reporting, but, pls, let me know what do you think it was missing in the report

Hi @stalinMacias this issue was not marked as low quality due to the writing style or PoC. I found these sufficient quality. It's marked as low-quality due to the issue itself.

Double spending on approve() is a known issue for ERC20 to which the solution is to add the functions increaseAllowance() and decreaseAllowance(). Since they've already added those functions this issue is already resolved.

@stalinMacias
Copy link

stalinMacias commented Sep 26, 2023
edited
Loading

@kirk-baird Thanks for the explanation, will take this into account for future submissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working low quality report This report is of especially low quality primary issue Highest quality submission among a set of duplicates unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kirk-baird @stalinMacias @code423n4 @raymondfam @c4-judge @c4-pre-sort