search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

CS - VaultPermissions incorrect allowance value #161

Closed 0xdcota closed 1 year ago

0xdcota commented 1 year ago

Where: https://github.com/Fujicracy/fuji-v2/blob/ab02d2308797577973ac358af8c7aadf973bcec7/packages/protocol/src/vaults/VaultPermissions.sol#L100

/// @inheritdoc IVaultPermissions
  function decreaseBorrowAllowance(address spender, uint256 byAmount)
    public
    virtual
    override
    returns (bool)
  {
    address owner = msg.sender;
    uint256 currentAllowance = withdrawAllowance(owner, spender); // <-------- problem here.
    require(currentAllowance >= byAmount, "ERC20: decreased allowance below zero");
    unchecked {
      _setBorrowAllowance(owner, spender, _borrowAllowance[owner][spender] - byAmount);
    }
    return true;
  }

Description: The VaultPermissions contract distinguishes the quantity of borrow andwithdrawal allowances by keeping those into separate mappings. However, the decreaseWithdrawAllowance function incorrectly assigns value from _withdrawAllowance mapping into the currentAllowance variable.

Recommendation: Change the decreaseWithdrawAllowance function, so as to assign the appropriate value into the currentAllowance variable.

0xdcota commented 1 year ago

Issue was fixed during changes in Commit ba3cd8e14a318512c8439fa84afde16821c25e3b

0xdcota commented 1 year ago

Merged to Main in PR #116