Floor aims to create a fully onchain governance mechanism for sweeping and deploying NFTs to profitable NFT-Fi strategies as well as seeding liquidity for its own NFT-Fi products.
Despite this, it inherits the ERC20Permit contract of OpenZeppelin which exposes the ERC20Permit::permit function and thus allows an allowance to be set and the ERC20::_approve function to be invoked bypassing the aforementioned overrides.
Impact:
While the approval overrides can be bypassed, they cannot be actuated rendering this exhibit to be of minor severity.
Example:
contract VeFloorStaking is EpochManaged, ERC20, ERC20Permit, ERC20Votes, IVeFloorStaking, IVotable {
Recommendation:
We advise the code to remove inheritance of the ERC20Permit contract to avoid such unintended behaviour as the VeFloorStaking is meant to be non-transferrable.
VFS-01M: Incorrect Inheritance of
ERC20PermitDescription:
The
VeFloorStakingis meant to be represented by an EIP-20 token that cannot be transferred nor approved as per theVeFloorStaking::approve,VeFloorStaking::increaseAllowance, andVeFloorStaking::decreaseAllowancefunction overrides.Despite this, it inherits the
ERC20Permitcontract of OpenZeppelin which exposes theERC20Permit::permitfunction and thus allows an allowance to be set and theERC20::_approvefunction to be invoked bypassing the aforementioned overrides.Impact:
While the approval overrides can be bypassed, they cannot be actuated rendering this exhibit to be of minor severity.
Example:
Recommendation:
We advise the code to remove inheritance of the
ERC20Permitcontract to avoid such unintended behaviour as theVeFloorStakingis meant to be non-transferrable.