search

code-423n4 / 2022-04-dualityfocus-findings

1 stars 0 forks source link

Front running attack in approve. #6

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-dualityfocus/blob/f21ef7708c9335ee1996142e2581cb8714a525c9/contracts/compound_rari_fork/CToken.sol#L172

Vulnerability details

Impact

Front running attack in approve.

Proof of Concept

The contract of the CToken does not have any protection against the well-known “Multiple Withdrawal Attack” attack on the Approve/TransferFrom methods of the ERC20 standard.

It is possible for someone to lose tokens if someone is listening to the mempool and the caller wants to change previous approvals.

Recommended Mitigation Steps

Add increase and decrease allowance.

jack-the-pug commented 2 years ago

That's not a real risk. I will lower this down to low.