Front-running approve()
and permit()
allows double spending
#271
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-145
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/token/ERC20.sol#L216-L244
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/Escrow.sol#L22-L27
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L307-L311
Vulnerability details
Impact
The core issue revolves around the susceptibility to front-running attacks due to the use of the
approve
function and its analogs without the correspondingincreaseAllowance
anddecreaseAllowance
functions.Escrow.sol:
approve
functionERC20.sol:
permit
functionLiquidityPool.sol:
approve
functionThe absence of
increaseAllowance
anddecreaseAllowance
methods alongside the use of theapprove
function leaves the smart contract susceptible to double-spending vulnerabilities facilitated by front-running attacks. These vulnerabilities could potentially lead to unauthorized withdrawals or transfers, which may result in financial loss for users and harm the contract's credibility.Proof of Concept
Suppose an initial allowance of
N
tokens exists between an owner and a spender. A user aiming to modify this allowance could inadvertently create a window of opportunity for an attacker to exploit.N
toM
.N
tokens' allowance.M
.M
tokens, effectively exploiting the system to useN + M
tokens.Tools Used
manual review
Recommended Mitigation Steps
A unified mitigation strategy involves refactoring the allowance management system to include
increaseAllowance
anddecreaseAllowance
functions. This change will prevent the need to reset allowances to zero, thus eliminating the time window that attackers could exploit for double-spending. Specifically, these methods would allow for atomic, relative changes to the allowance, directly addressing the identified vulnerability.Assessed type
Timing
The text was updated successfully, but these errors were encountered: