Open hats-bug-reporter[bot] opened 1 month ago
It's a valid issue, but this is used 1 time only to permit pearlmit
. I'll mark it as a Low because there's no risk here.
However, the suggested fix doesn't seem right. I think a better one would be check if the sender is whitelisted and execute permit with owner param if so, otherwise execute permit with msg.sender instead of owner
Hi! We said we were not going to reward lows, but we are going to reward you with 150 USDC as a token of appreciation
Github username: @CergyK Twitter username: -- Submission hash (on-chain): 0x154803094095bc5c6319f596cd6217ccd02f0d3b6a454c7e1f76624ebebdaf45 Severity: medium
Description: Description Any user can call
MarketERC20::permit
on behalf of an owner,Attack Scenario\
Alice wants to do a cross-chain action, which needs a permit to be granted on the destination chain. Alice initiates her action on mainnet, and provides permit data to be used on destination chain.
Bob sees the action initiated by Alice on mainnet, and front-runs it by calling permit directly on destination chain, effectively DoSing the whole Alice xChain action.
Recommendation Check that spender is msg.sender (or add a field
caller
to be checked on).contracts/market/MarketERC20.sol
: