search

code-423n4 / 2022-10-inverse-findings

0 stars 0 forks source link

Approve front-running attack in DBR.sol #581

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L158

Vulnerability details

Impact

An attacker could front-run an approve() transaction to get an overall bigger amount approved.

Proof of Concept

This is the approve() function of the DBR token.

  function approve(address spender, uint256 amount) public virtual returns (bool) { 
        allowance[msg.sender][spender] = amount;
        emit Approval(msg.sender, spender, amount);
        return true;
    }

The attack path would be:

  1. Bob approves 50 tokens for Alice
  2. Bob wants to change the approval from 50 to 10
  3. Alice front runs the transaction and spends the approval before it's changed.
  4. Alice spends 10 more tokens summing a total of 60 tokens spent.

To sum up, Alice spends 50 tokens, then Bob allows 10 more tokens because the allowance is not checking prior balances, it just changes the actual balance to the amount allowed.

Tools Used

Manual review

Recommended Mitigation Steps

Use non-standard functions of ERC20. increaseAllowance() and decreaseAllowance() .

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Overinflated severity