ghost
commented
3 years ago sponsor acknowledged disagree with severity 0 While this is true, delegatedTransferERC20 isnt meant for owner but suggestion is noted.
Closed code423n4 closed 3 years ago
ghost
commented
3 years ago sponsor acknowledged disagree with severity 0 While this is true, delegatedTransferERC20 isnt meant for owner but suggestion is noted.
ghoul-sol
commented
3 years ago Duplicate of #21
Handle
cmichel
Vulnerability details
Vulnerability Details
The
Visor.delegatedTransferERC20function skips the approval check ifmsg.sender == _getOwner(), however, it will still try to reduce the approval in that case. As it is implemented that the owner does not need an approval for this function, a previous approve action was most likely never sent and the transaction will fail when trying to reduce theerc20Approvalsfield by theamountdue to the usage of SafeMath underflow checks.Impact
Owners cannot transfer using this function.
Recommended Mitigation Steps
Move the approval subtraction to the
ifpath.