MarketERC20::permit lacks of access control, enabling xChain calls relying on permits to be DoSed

[hats-bug-reporter[bot]]

Github username: @CergyK Twitter username: -- Submission hash (on-chain): 0x154803094095bc5c6319f596cd6217ccd02f0d3b6a454c7e1f76624ebebdaf45 Severity: medium

Description: Description Any user can call MarketERC20::permit on behalf of an owner,

Attack Scenario\

• Alice wants to do a cross-chain action, which needs a permit to be granted on the destination chain. Alice initiates her action on mainnet, and provides permit data to be used on destination chain.

• Bob sees the action initiated by Alice on mainnet, and front-runs it by calling permit directly on destination chain, effectively DoSing the whole Alice xChain action.

Recommendation Check that spender is msg.sender (or add a field caller to be checked on).

contracts/market/MarketERC20.sol:

function _permit(
    bool asset, // true = asset, false = collateral
    address owner,
    address spender,
    uint256 value,
    uint256 deadline,
    uint8 v,
    bytes32 r,
    bytes32 s
) internal {
    require(block.timestamp <= deadline, "ERC20Permit: expired deadline");
+   require(msg.sender == spender, "not spender");

    bytes32 structHash;

    structHash = keccak256(
        abi.encode(
            asset ? _PERMIT_TYPEHASH : _PERMIT_TYPEHASH_BORROW, owner, spender, value, _useNonce(owner), deadline
        )
    );

    bytes32 hash = _hashTypedDataV4(structHash);

    address signer = ECDSA.recover(hash, v, r, s);

    require(signer == owner, "ERC20Permit: invalid signature");

    if (asset) {
        _approve(owner, spender, value);
    } else {
        _approveBorrow(owner, spender, value);
    }
}

[cryptotechmaker]

It's a valid issue, but this is used 1 time only to permit pearlmit. I'll mark it as a Low because there's no risk here. However, the suggested fix doesn't seem right. I think a better one would be check if the sender is whitelisted and execute permit with owner param if so, otherwise execute permit with msg.sender instead of owner

[maarcweiss]

Hi! We said we were not going to reward lows, but we are going to reward you with 150 USDC as a token of appreciation