cw20 allowance expiration can be set to a block height or timestamp in the past #628

harryscholes · 2022-01-10T08:30:00Z

Expirations are not validated when allowances are created,

cw-plus/contracts/cw20-base/src/allowances.rs

Line 28 in fa0c5ac

if let Some(exp) = expires {

only when they are used

cw-plus/contracts/cw20-base/src/allowances.rs

Line 95 in fa0c5ac

if a.expires.is_expired(block) {

This is not a huge problem, as the expiration can be updated to a future block height or timestamp, or removed entirely. Should we add validation that the block height or timestamp is in the future when creating a new allowance? Happy to make a PR for this if there is interest.

NB this was found in an audit of Mars protocol in a contract that was forked from the cw-plus cw20-base contract.

ethanfrey · 2022-08-15T14:43:19Z

Happy for this addition. It seems like it slipped off our plate

Validate allowance expiration, closes #628

ethanfrey added this to the v0.15.0 milestone Aug 15, 2022

uint assigned chipshort Sep 5, 2022

This was referenced Sep 5, 2022

Validate allowance expiration #792

Closed

Validate allowance expiration #793

Merged

chipshort closed this as completed in #793 Sep 5, 2022

chipshort added a commit that referenced this issue Sep 5, 2022

Merge pull request #793 from CosmWasm/validate-allowance-expiration-2

bc33936

Validate allowance expiration, closes #628

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cw20 allowance expiration can be set to a block height or timestamp in the past #628

cw20 allowance expiration can be set to a block height or timestamp in the past #628

harryscholes commented Jan 10, 2022

ethanfrey commented Aug 15, 2022

cw20 allowance expiration can be set to a block height or timestamp in the past #628

cw20 allowance expiration can be set to a block height or timestamp in the past #628

Comments

harryscholes commented Jan 10, 2022

ethanfrey commented Aug 15, 2022