code423n4 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MToken.sol#L159-L164

Vulnerability details

Impact

In MToken.sol we have approve() function:

function approve(address spender, uint256 amount) override external returns (bool) {  
        address src = msg.sender;
        transferAllowances[src][spender] = amount;
        emit Approval(src, spender, amount);
        return true;
    }

This function allows a token holder to approve another address (the spender) to spend a certain amount of their tokens.

The approve function is susceptible to front-running because an attacker can see a transaction in the menpool if the owner changes the approval amount, and could potentially submit a transaction to spend the current approved amount before the transaction is mined.

Proof of Concept

Alice approve() approve Bob to spend 100 tokens on her behalf.
She then changes her mind wanting to decrease Bob's allowance from 100 shares to 50 shares.
Bob sees the transaction in the mempool and immediately uses the allowed amount.
When Alice's transaction is executed, Bob gets another 50 tokens of allowance.

Tools Used

Visual Studio Code

Recommended Mitigation Steps

Consider implementing increasing and decreasing allowance functions to mitigate the race condition.

Assessed type

Other

c4-pre-sort commented 11 months ago

0xSorryNotSorry marked the issue as duplicate of #290

c4-judge commented 11 months ago

alcueca marked the issue as unsatisfactory: Insufficient proof

code-423n4 / 2023-07-moonwell-findings

`approve()` can be front-run #372