search

code-423n4 / 2022-07-swivel-findings

0 stars 1 forks source link

Wrong allowance checks in ZcToken #26

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/67c6900222cc4045d7fe2227a1ea73e0251374ed/Creator/ZcToken.sol#L112 https://github.com/code-423n4/2022-07-swivel/blob/67c6900222cc4045d7fe2227a1ea73e0251374ed/Creator/ZcToken.sol#L133

Vulnerability details

Impact

withdraw and redeem currently revert when the allowance is larger than the requested amount. However, this should be the other way around. Therefore, the methods do not work with allowances, as in the case allowed < previewAmount (or allowed < principalAmount), the subtraction of the allowance will revert.

Recommended Mitigation Steps

Change the checks to allowed < previewAmount / allowed < principalAmount.

JTraversa commented 2 years ago

Duplicate of #129

bghughes commented 2 years ago

Duplicate of #129