XO-transferFromWithPermit function allows attackers to steal tokens
Summary
The transferFromWithPermit function does not check to make sure that the third party is actually authorized to transfer the tokens.
This means that an attacker could call the permit function with a fake signature, and then call the transferFromWithPermit function to transfer the tokens to themselves.
There is a vulnerability in the transferFromWithPermit function. this function can calls the permit function, this operation can allows a third party to transfer tokens on behalf of the owner of the tokens so we have the transferFromWithPermit function does not check to make sure that the third party is actually authorized to transfer the tokens. This means that an attacker can call the permit function with a fake signature, and then call the transferFromWithPermit function to transfer the tokens to his account. This problem can allow an attacker to steal tokens from the contract.
Impact
the vulnerability allow an attacker to steal tokens from the contract.
XDZIBEC
high
XO-
transferFromWithPermit
function allows attackers to stealtokens
Summary
transferFromWithPermit
function does not check to make sure that the third party is actually authorized to transfer the tokens.transferFromWithPermit
function to transfer the tokens to themselves.Vulnerability Detail
There is a vulnerability in the
transferFromWithPermit
function. this function can calls the permit function, this operation can allows a third party to transfer tokens on behalf of the owner of the tokens so we have thetransferFromWithPermit
function does not check to make sure that the third party is actually authorized to transfer the tokens. This means that an attacker can call the permit function with a fake signature, and then call thetransferFromWithPermit
function to transfer the tokens to his account. This problem can allow an attacker to steal tokens from the contract.Impact
Code Snippet
Tool used
Manual Review
Recommendation
transferFromWithPermit
function to make sure that the signature of the permit function is valid.