search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

Tokens with irregular permit. #618

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L56 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L647

Vulnerability details

Impact

Some tokens may not conform with IERC20Permit. Case in point, DAI stablecoin which uses a permit() that is different than the reference permit.

IERC20Permit:

    function permit(
        address owner,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external;

DAI's permit:

    function permit(
        address holder,
        address spender,
        uint256 nonce,
        uint256 expiry,
        bool allowed,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external;

Proof of Concept

N/A

Tools Used

Manual Review

Recommended Mitigation Steps

Either check if the token being permitted is DAI or not, and use DAI's permit if it is. Alternatively, Uniswap's permit2.

GalloDaSballo commented 1 year ago

Looks valid, but no impact, meaning I will most likely downgrade due to a lack of showing how the finding can cause a loss beside it not working with DAI

TriHaz commented 1 year ago

I believe this should be QA.

c4-sponsor commented 1 year ago

TriHaz marked the issue as sponsor acknowledged

GalloDaSballo commented 1 year ago

Per a similar report, some tokens will revert when calling the function, a sidestep is offered by using the "normal way"

meaning this is a QA - Low Severity finding

L

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-tigris-findings/issues/568