Submission Details
Severity:
Approve function can be front run and use the coins for airdrop maliciously
Summary
Approve function can be front run
Vulnerability Details
Approve can be front run and used as phishing attack vector just like tx-origin--> with different airdrop list.With block stuffing attack to forcing the real transaction revert so create phishing attack chance in case needed.
//@audit check check
function test_airDropErc20ToManyByMaliciousUser() public virtual {
address sender=makeAddr("sender");
// Arrange
uint256 uint256Amount = 1 ether;
uint256 expectedTotalAmount = (uint256Amount * 2) + ONE;
vm.startPrank(sender);
mockERC20.mint(expectedTotalAmount);
mockERC20.approve(address(tSender), expectedTotalAmount);
vm.stopPrank();
//recipients can be changed easly to create new malicious list ,malicious user already know the amount cause its approved
address[] memory recipients = new address[](2);
recipients[0] = recipientOne;
recipients[1] = recipientTwo;
uint256[] memory amounts = new uint256[](2);
amounts[0] = uint256Amount;
amounts[1] = uint256Amount + ONE;
// Act maliciousUser
vm.prank(sender);
tSender.airdropERC20(address(mockERC20), recipients, amounts, expectedTotalAmount);
// Assert
assertEq(mockERC20.balanceOf(recipientOne), uint256Amount);
assertEq(mockERC20.balanceOf(recipientTwo), uint256Amount + ONE);
}
Impact
Airdrop can be stolen by phishing scam just as using tx.origin method.
Tools Used
Manuel review
Recommendations
Create deposit functionality to remove this threat
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
25659 USDC / LOC
12,500 USDC
1,375 USDC
1,125 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.