Closed code423n4 closed 2 years ago
If we want the ability support some kind of single-transaction locking, we have to support some kind of permit mechanism. Consider the fact that everything in this contract that is not ERC20 or ERC721 is new, and by definition "non-standard", but we still need to release something. Also, since the XDEFI token is already on mainnet, and supports this kind of permit, we're already locked into this mechanism.
agreed, 2612 is a de-facto standard now
Handle
sirhashalot
Vulnerability details
Impact
EIP2612 is still in draft: https://eips.ethereum.org/EIPS/eip-2612
Using a draft EIP in a mainnet contract can cause problems if the EIP is modified. Because XDEFIDistribution.sol does not have a way to be modified (such as with a Proxy contract), changes to the EIP could result in the
lockWithPermit()
function failing to work as expected.Proof of Concept
The
lockWithPermit()
function uses thepermit()
function from EIP2612: https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L101Recommended Mitigation Steps
Wait until EIP2612 is finalized before including functions from it on the mainnet