Avoid the use of increaseAllowance and decreaseAllowance from ERC20 that are recently deprecated. #498
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-320
low quality report
This report is of especially low quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L139-L160
Vulnerability details
Impact
The ERC20.sol file is an implementation of the ERC20 standard that is to be used in the codebase, but the
increaseAllowance
anddecreaseAllowance
of ERC20 OZ library has been recently deprecated.The
increaseAllowance
anddecreaseAllowance
were non-standard withEIP-20
and the discussion to make remove it was finally merged recently.In this codebase, the
ERC20.sol
is expected to work with theERC-4626 vault
that are the LPs in which the assets are ERC20 tokens. Using deprecated codebase can later prove to be problematic and even cause issues while trying to useassets
following the latest standard.Impact: Medium, as functionality is not working as expected but without a value loss.
Likelihood: Medium, as multiple methods are not compliant with the standard.
Proof of Concept
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L139C5-L146C6
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L148C2-L159C6
Tools Used
Manual review
Recommended Mitigation Steps
Avoid the use of
increaseAllowance
anddecreaseAllowance
or use SafeERC20 library which is still available.Assessed type
ERC20
The text was updated successfully, but these errors were encountered: