code-423n4 / 2022-01-xdefi-findings

0 stars 0 forks source link

EIP2612 is still draft #181

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

sirhashalot

Vulnerability details

Impact

EIP2612 is still in draft: https://eips.ethereum.org/EIPS/eip-2612

Using a draft EIP in a mainnet contract can cause problems if the EIP is modified. Because XDEFIDistribution.sol does not have a way to be modified (such as with a Proxy contract), changes to the EIP could result in the lockWithPermit() function failing to work as expected.

Proof of Concept

The lockWithPermit() function uses the permit() function from EIP2612: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L101

Recommended Mitigation Steps

Wait until EIP2612 is finalized before including functions from it on the mainnet

deluca-mike commented 2 years ago

If we want the ability support some kind of single-transaction locking, we have to support some kind of permit mechanism. Consider the fact that everything in this contract that is not ERC20 or ERC721 is new, and by definition "non-standard", but we still need to release something. Also, since the XDEFI token is already on mainnet, and supports this kind of permit, we're already locked into this mechanism.

Ivshti commented 2 years ago

agreed, 2612 is a de-facto standard now