Floor aims to create a fully onchain governance mechanism for sweeping and deploying NFTs to profitable NFT-Fi strategies as well as seeding liquidity for its own NFT-Fi products.
Despite this, it inherits the ERC20Permit contract of OpenZeppelin which exposes the ERC20Permit::permit function and thus allows an allowance to be set and the ERC20::_approve function to be invoked bypassing the aforementioned overrides.
Impact:
While the approval overrides can be bypassed, they cannot be actuated rendering this exhibit to be of minor severity.
Example:
contract VeFloorStaking is EpochManaged, ERC20, ERC20Permit, ERC20Votes, IVeFloorStaking, IVotable {
Recommendation:
We advise the code to remove inheritance of the ERC20Permit contract to avoid such unintended behaviour as the VeFloorStaking is meant to be non-transferrable.
VFS-01M: Incorrect Inheritance of
ERC20Permit
Description:
The
VeFloorStaking
is meant to be represented by an EIP-20 token that cannot be transferred nor approved as per theVeFloorStaking::approve
,VeFloorStaking::increaseAllowance
, andVeFloorStaking::decreaseAllowance
function overrides.Despite this, it inherits the
ERC20Permit
contract of OpenZeppelin which exposes theERC20Permit::permit
function and thus allows an allowance to be set and theERC20::_approve
function to be invoked bypassing the aforementioned overrides.Impact:
While the approval overrides can be bypassed, they cannot be actuated rendering this exhibit to be of minor severity.
Example:
Recommendation:
We advise the code to remove inheritance of the
ERC20Permit
contract to avoid such unintended behaviour as theVeFloorStaking
is meant to be non-transferrable.