Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of the deprecated safeApprove() function of openzeppelin containing security vulnerabilities. #175

Closed
c4-bot-10 opened this issue Aug 19, 2024 · 0 comments
Closed

Use of the deprecated safeApprove() function of openzeppelin containing security vulnerabilities. #175

c4-bot-10 opened this issue Aug 19, 2024 · 0 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden insufficient quality report This report is not of sufficient quality 🤖_primary AI based primary recommendation

Comments

@c4-bot-10
Copy link
Contributor

c4-bot-10 commented Aug 19, 2024
edited by c4-bot-5
Loading

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/BackingManager.sol#L72
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/BackingManager.sol#L73
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RevenueTrader.sol#L191
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RevenueTrader.sol#L192

Vulnerability details

Impact

The BackingManager::grantRTokenAllowance and the RevenurTrader::_distributeTokenToBuy functions make use of safeApprove() function.
The original ERC20 token approval function is susceptible to front-running attacks, where malicious actors can modify quotas after seeing a transaction, but before it is mined.
The safeApprove function inherited this vulnerability and added unnecessary complexity, making it an additional insecurity.
This is why both functions have been deprecated.

Proof of Concept

    function grantRTokenAllowance(IERC20 erc20) external notFrozen {
        require(assetRegistry.isRegistered(erc20), "erc20 unregistered");
@>      IERC20(address(erc20)).safeApprove(address(rToken), 0);
@>      IERC20(address(erc20)).safeApprove(address(rToken), type(uint256).max);
    }
  • The _distributeTokenToBuy function in the RevenueTrader contract:
  function _distributeTokenToBuy() internal {
        uint256 bal = tokenToBuy.balanceOf(address(this));

@>      tokenToBuy.safeApprove(address(distributor), 0);
@>      tokenToBuy.safeApprove(address(distributor), bal);

        distributor.distribute(tokenToBuy, bal);
    }

Tools Used

Manual anlysis.

Recommended Mitigation Steps

Instead of using safeApprove, OpenZeppelin introduced safeIncreaseAllowance and safeDecreaseAllowance functions in the SafeERC20 library, which allow you to safely increment or decrement the allowance without directly setting it to a specific value.

Assessed type

ERC20
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 19, 2024
c4-bot-3 added a commit that referenced this issue Aug 19, 2024
@c4-bot-3
0XRolko issue #175
bfeb239
@c4-bot-6 c4-bot-6 removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Aug 19, 2024
@code4rena-admin code4rena-admin added 3 (High Risk) Assets can be stolen/lost/compromised directly edited-by-warden labels Aug 19, 2024
@c4-bot-5 c4-bot-5 changed the title Use of the deprecated safeApprove function of openzeppelin containing security vulnerabilities. Use of the deprecated safeApprove() function of openzeppelin containing security vulnerabilities. Aug 19, 2024
@c4-bot-12 c4-bot-12 added the 🤖_primary AI based primary recommendation label Aug 19, 2024
@howlbot-integration howlbot-integration bot added the insufficient quality report This report is not of sufficient quality label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working edited-by-warden insufficient quality report This report is not of sufficient quality 🤖_primary AI based primary recommendation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code4rena-admin @c4-bot-6 @c4-bot-10 @c4-bot-12