Med
It is possible to frontrun approve(..) and get access to more token amount than intended
Summary
the approve method in pool contract can frontrun to allow an account spend more token than intended
Vulnerability Detail
say address A approves X amount of token for address B
If address A tries to update the approved amount for address B to say Y amount of token
address B can frontrun the transaction, hence making her elligible to spend (X+Y) amount of token
approve could take a third argument which corresponds to the initial token amount approved for an account,
if the current approved amount varies from this argument, aprroval should not suceed.
0xnuel
medium
possible approve(..) frontrun
nuel
Med It is possible to frontrun approve(..) and get access to more token amount than intended
Summary
the
approvemethod in pool contract can frontrun to allow an account spend more token than intendedVulnerability Detail
say address A approves X amount of token for address B If address A tries to update the approved amount for address B to say Y amount of token address B can frontrun the transaction, hence making her elligible to spend (X+Y) amount of token
Impact
Code Snippet
`function approve(address spender, uint amount) external returns (bool) {
https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L299
Tool used
Manual Review
Recommendation
approvecould take a third argument which corresponds to the initial token amount approved for an account, if the current approved amount varies from this argument, aprroval should not suceed.Duplicate of #154