This repository has been archived by the owner on Nov 3, 2024. It is now read-only.
0xSwahili - The exaTokens ERC20 token-contract approve function is prone to a front-run attack #34
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
0xSwahili
high
The exaTokens ERC20 token-contract approve function is prone to a front-run attack
Summary
exaTokens token owners are prone to a double allowance spend due to an approval-race condition on the token contract
Vulnerability Detail
Users are allowed to withdraw assets from an account owner when the owner calls approve function on the Market contract and grants them an allowance:
This allowance can be used by the beneficiary to withdraw owners assets, eg by calling withdrawAtMaturity:
However, the approve method is subject to an approval-race attack that can allow malicious beneficiaries to "double spend" owners tokens.
Impact
exaToken owners are likely to assign "double allowances" to beneficiaries against general expectation.
Code Snippet
Consider this POC:
Alice deposits some assets onto a Market and is minted some exaTokens. Alice wishes to appoint Bob to operate on her assets and decides to grant Bob some allowance by calling approve(Bob,100);. After some time, Alice decides to reduce Bobs allowance to 50. Bob, who is actively monitoring the mempool, spots Alice's transaction. He launches a sandwich attack on Alice transaction via MEV that will:
The end result is that Bob spends 150 instead of 50. This is not what Alice wished.
Tool used
Manual Review
Recommendation
To fix this vulnerability, I recommend that the exaTokens approval function be modified such that any Non-Zero token approvals calls must first be preceded by a Zero amount approval call, similar to the USDT token contract found here:
https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code#L199
The text was updated successfully, but these errors were encountered: