Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibAsset.sol#L68
approveERC20() is using unlimited approval. Although unlimited approval is used by various DeFi platforms to minimize transaction fees and improve user experience, it introduces security risks as well.
https://kalis.me/unlimited-erc20-allowances/ https://blocksecteam.medium.com/unlimited-approval-in-erc20-convenience-or-security-1c8dce421ed7 https://medium.com/@rodrigoherrerai/understanding-the-problem-of-erc20-unlimited-approval-from-first-principles-d2eaf6b4ea0e
Manual analysis
Consider changing approveERC20() to approve only the required amount, or rather using increaseERC20Allowance() and decreaseERC20Allowance().
Duplicate of #130
Duplicate of #160
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibAsset.sol#L68
Vulnerability details
Impact
approveERC20() is using unlimited approval. Although unlimited approval is used by various DeFi platforms to minimize transaction fees and improve user experience, it introduces security risks as well.
Proof of Concept
https://kalis.me/unlimited-erc20-allowances/ https://blocksecteam.medium.com/unlimited-approval-in-erc20-convenience-or-security-1c8dce421ed7 https://medium.com/@rodrigoherrerai/understanding-the-problem-of-erc20-unlimited-approval-from-first-principles-d2eaf6b4ea0e
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider changing approveERC20() to approve only the required amount, or rather using increaseERC20Allowance() and decreaseERC20Allowance().