search

code-423n4 / 2022-07-swivel-findings

0 stars 1 forks source link

Cannot `withdraw` or `redeem` approved tokens #178

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Creator/ZcToken.sol#L112 https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Creator/ZcToken.sol#L133

Vulnerability details

Title

Cannot withdraw or redeem approved tokens

Impact

A contract/EOA which has been approved some ZcToken cannot redeem() or withdraw() the approved tokens since these functions always revert if msg.sender != holder.

Proof of Concept

In the withdraw() function (ZcToken.sol#L112) the check on allowance

            if (allowed >= previewAmount) {
                revert Approvals(allowed, previewAmount);
            }

is incorrect. So the withdraw() always reverts if msg.sender != holder, since if allowed >= previewAmount, then it reverts and otherwise allowance[holder][msg.sender] -= previewAmount; it reverts for underflow.

In the redeem() function the issue is similiar (ZcToken.sol#L133) but concerns the check allowed >= principalAmount which is incorrect.

Tools Used

Manual analysis

Recommended Mitigation Steps

Use allowed < previewAmount (in withdraw()) and allowed < principalAmount (in redeem()) to check amount exceding allowance.

JTraversa commented 2 years ago

Duplicate of #129

bghughes commented 2 years ago

Duplicate of #129