search

code-423n4 / 2022-03-lifinance-findings

6 stars 4 forks source link

approveERC20() uses unlimited approval #120

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibAsset.sol#L68

Vulnerability details

Impact

approveERC20() is using unlimited approval. Although unlimited approval is used by various DeFi platforms to minimize transaction fees and improve user experience, it introduces security risks as well.

Proof of Concept

https://kalis.me/unlimited-erc20-allowances/ https://blocksecteam.medium.com/unlimited-approval-in-erc20-convenience-or-security-1c8dce421ed7 https://medium.com/@rodrigoherrerai/understanding-the-problem-of-erc20-unlimited-approval-from-first-principles-d2eaf6b4ea0e

Tools Used

Manual analysis

Recommended Mitigation Steps

Consider changing approveERC20() to approve only the required amount, or rather using increaseERC20Allowance() and decreaseERC20Allowance().

H3xept commented 2 years ago

Duplicate of #130

gzeoneth commented 2 years ago

Duplicate of #160