Race Condition for Approvals in Solidity Smart Contracts
Summary
This report identifies a race condition vulnerability in the runLiquidation function of the LiquidationPoolManager contract, which could allow a malicious pool to withdraw more tokens than intended by the contract.
Vulnerability Details
The runLiquidation function approves the pool address to spend the token balance of the contract for each accepted token. However, if the contract changes the approved amount in a subsequent transaction, the pool can exploit the race condition and use the old approval amount to transfer more tokens than expected.
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#76
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#37
Impact
The impact of this vulnerability is a loss of funds for the contract, as the pool can receive more tokens than the contract intended to liquidate. This could affect the liquidity and solvency of the contract and its users.
Tools Used
Manul
Recommendations
The recommendations to fix this vulnerability are:
Use the increaseAllowance and decreaseAllowance functions instead of the approve function, as they are safer and prevent race conditions.
Add a check to ensure that the approved amount is equal to the token balance before calling the transferFrom function on the pool.
Add a modifier to prevent reentrancy attacks on the runLiquidation function.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.