Open hats-bug-reporter[bot] opened 1 month ago
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd6ffa3f3b5644efd3a0bc9884fdbadc8e0153b0b99c7fff88c5f09fb70ded997 Severity: high
Description: Description\ I will take IPearlmit.allowance as example.
IPearlmit.allowance
[IPearlmit.approve] and [IPearlmit.allowance] is defined in IPearlmit.sol#L36-L42
36 function approve(uint256 tokenType, address token, uint256 id, address operator, uint200 amount, uint48 expiration) 37 external; 38 39 function allowance(address owner, address operator, uint256 tokenType, address token, uint256 id) 40 external 41 view 42 returns (uint256 allowedAmount, uint256 expiration);
And IPearlmit.allowance is used in Market.sol#L419 and Market.sol#L440
419 (pearlmitAllowed,) = penrose.pearlmit().allowance(from, msg.sender, 20, address(this), 0);
penrose.pearlmit()'s type defination should be Pearlmit.sol, and allowance is not defined in Pearlmit.sol, but Pearlmit is inherited from PermitC, and in PermitC.sol, [IPearlmit.allowance] is defined as:
penrose.pearlmit()'s
allowance
Pearlmit.sol
Pearlmit
PermitC.sol
218 function allowance( 219 address owner, 220 address operator, 221 address token, 222 uint256 id 223 ) external view returns (uint256 allowedAmount, uint256 expiration) { 224 return _allowance(owner, operator, token, id, ZERO_BYTES32); 225 } ... 758 function allowance( 759 address owner, 760 address operator, 761 address token, 762 uint256 id, 763 bytes32 orderId 764 ) external view returns (uint256 allowedAmount, uint256 expiration) { 765 return _allowance(owner, operator, token, id, orderId); 766 }
None of the signature matches IPearlmit.allowance
Same issue happens to IPearlmit.approve
IPearlmit.approve
Attack Scenario\ Without the correct signature, the function will revert when calling the api
Nothing seems off in the latest version of PermitC that we're using https://github.com/Tapioca-DAO/PermitC/blob/main/src/PermitC.sol#L264
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd6ffa3f3b5644efd3a0bc9884fdbadc8e0153b0b99c7fff88c5f09fb70ded997 Severity: high
Description: Description\ I will take
IPearlmit.allowance
as example.[IPearlmit.approve] and [IPearlmit.allowance] is defined in IPearlmit.sol#L36-L42
And
IPearlmit.allowance
is used in Market.sol#L419 and Market.sol#L440penrose.pearlmit()'s
type defination should be Pearlmit.sol, andallowance
is not defined inPearlmit.sol
, butPearlmit
is inherited from PermitC, and inPermitC.sol
, [IPearlmit.allowance] is defined as:None of the signature matches IPearlmit.allowance
Same issue happens to
IPearlmit.approve
Attack Scenario\ Without the correct signature, the function will revert when calling the api