Open code423n4 opened 2 years ago
Approval workflow doesnt leave funds at risk but is a nice to have, that plus scope and this might end up low risk but I think medium is appropriate as well.
This is a good issue and I agree with the severity. I decided against making this high severity due to the fact that funds are not necessarily at risk; it it just intended allowance functionality will not behave as expected.
see #180
Making this the main issue for the allowance flipped sign
Lines of code
https://github.com/code-423n4/2022-07-swivel/blob/daf72892d8a8d6eaa43b9e7d1924ccb0e612ee3c/Tokens/ZcToken.sol#L112-L114 https://github.com/code-423n4/2022-07-swivel/blob/daf72892d8a8d6eaa43b9e7d1924ccb0e612ee3c/Tokens/ZcToken.sol#L132-L133
Vulnerability details
Impact
There is an error in the allowance functionality to allow a non-owner to withdraw or redeem ZcTokens for the owner. Taking
ZcToken.redeem()
as an example, behold the following if/else block:If the
msg.sender
is the holder, no check for allowance is needed. If the sender is not the holder, then their allowance is checked.The error lies in the if statement
if (allowed >= principalAmount) { revert Approvals(allowed, principalAmount); }
. This states that if the sender has equal to or more allowance than the principalAmount, revert.Therefore, if the sender has the proper allowance or more allowance than necessary, the transaction will revert. If the sender has less allowance than necessary, the transaction will still revert because of the
allowance[holder][msg.sender] -= principalAmount;
clause.In conclusion, there is no way to
withdraw()
orredeem()
on behalf of another user.Tools Used
Manual review.
Recommended Mitigation Steps
The fix is to simply change
>=
to<