search

code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Synth: cannot change approval once set to max value #153

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The Synth._approve function performs a no-op if the allowance is currently set to type(uint256).max. This leads to the issue that approvals cannot be changed anymore once they are set to the max value.

Impact

Imagine someone approving an operator with the max value but their key is compromised. The approval cannot be revoked anymore. This is especially bad as any approveAndCall call sets the max approval.

Recommended Mitigation Steps

The correct check to save gas should be if (_allowances[owner][spender] != amount) { update }.

SamusElderg commented 3 years ago

Duplicate of #29

ghoul-sol commented 3 years ago

The issue is identical to #152 just different contract. I'd keep them both however issues from other wardens touch on both contracts at once so it would be unfair to keep this one.