Open hats-bug-reporter[bot] opened 1 month ago
Hey @bauchired https://github.com/limitbreakinc/PermitC/blob/65e3a4a493aa14d1a03c23512233d7546e8f1e96/src/PermitC.sol#L182
Permit.approve in fact has 6 params has you can see on the link.
Make sure to check all the commits properly as might be that you are checking an old one.
Github username: @bauchibred Twitter username: Bauchibred Submission hash (on-chain): 0xee35e968cc281e9b052def1e5ea5cfa6ea6c3ee8cf81e440b8c562367846a985 Severity: high
Description: Description
Take a look at https://github.com/hats-finance/Tapioca-0xe0b920d38a0900af3bab7ff0ca0af554129f54ad/blob/baddafc15616a5674e73c2f5a920b92bf9b21888/contracts/tokens/TapTokenReceiver.sol#L120C1-L135C6
This function's core use as documented is to lock TAP for users in the twTAP contract. In it's execution thefunction makes a query to approve via pearlmit, however this is the specification on IPearlmit's approve:
function approve(address token, uint256 id, address operator, uint200 amount, uint48 expiration) external;
Which showcases that it needs five parameters, the instance above from
_lockTwTapPositionReceiver()
as hinted by the @audit tag however passes in 6 parameters, with theuint256 20
not being accounted for on Pearlmit, this then leads to all attempts to lock theTwTapPositionReceiver
to revert as the function signature would not match anything on IPearlmit, making the call topearlmit.approve()
be unsuccessful.This essentially makes it impossible to lock tokens
TAP
for any user in thetwTAP
contract which is a core functionality and also any logic that queriesTapTokenReceiver#_lockTwTapPositionReceiver()
would also revert.Attack Scenario N/A Recommendation Correctly query
pearlmit.approve()
by passing in the right parameters AttachmentsN/A
N/A