Closed code423n4 closed 2 years ago
WatchPug
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/LockeERC20.sol#L86-L92
function approve(address spender, uint256 amount) public virtual returns (bool) { allowance[msg.sender][spender] = amount; emit Approval(msg.sender, spender, amount); return true; }
Using approve() to manage allowances opens yourself and users of the token up to frontrunning. Best practice, but doesn't usually matter.
Explanation of this possible attack vector
See also: 0xProject/0x-monorepo#850
A potential fix includes preventing a call to approve if all the previous tokens are not spent through adding a check that the allowed balance is 0:
require(allowed[msg.sender][_spender] == 0).
require(allowed[msg.sender][_spender] == 0)
duplicate of #74
0xean
commented
2 years ago 0xean
commented
2 years ago
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/LockeERC20.sol#L86-L92
Using approve() to manage allowances opens yourself and users of the token up to frontrunning. Best practice, but doesn't usually matter.
Explanation of this possible attack vector
See also: 0xProject/0x-monorepo#850
A potential fix includes preventing a call to approve if all the previous tokens are not spent through adding a check that the allowed balance is 0:
require(allowed[msg.sender][_spender] == 0).