kingyetifinance
commented
2 years ago @LilYeti : Acknowledged, but it is included in many token contracts and is realistically a frontend error, so severity level 0.
Closed code423n4 closed 2 years ago
kingyetifinance
commented
2 years ago @LilYeti : Acknowledged, but it is included in many token contracts and is realistically a frontend error, so severity level 0.
alcueca
commented
2 years ago It is not an issue to use permit, as long as the risks are known.
Handle
Ruhum
Vulnerability details
Impact
The
permit()function is included in multiple ERC20 tokens in the codebase. It allows a user to grant somebody else the ability to approve tokens for someone else on their behalf. Done by signing a message containing the spender, amount to approve, etc.But, it provides security concerns since it opens up users to phishing attacks. Generally, users tend to be more careless when a metamask popup opens up where they are only asked to sign a message, not a transaction. But, when the ERC20 token has a
permit()function, a signed message is all that's needed to drain all the funds of the user.Here's an example where NFTs were stolen through the same mechanism: https://twitter.com/dingalingts/status/1470095710888808449
Proof of Concept
https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/YUSDToken.sol#L186
https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/YETI/YETIToken.sol#L157
https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/YETI/sYETIToken.sol#L152
Tools Used
none
Recommended Mitigation Steps
I'd recommend removing it altogether. Not worth the risk.