Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

A malicious user can front-run the approval of tokens from a victim's account, leading to the loss of partial funds for the victim.

forgetfore1

Summary

A malicious user can front-run the approval of tokens from a victim's account, leading to the loss of partial funds for the victim.

Vulnerability Details

If a user grants token approval to a malicious user and later tries to increase the approved token amount, the malicious user can front-run this transaction. By spending all the previously approved tokens before the new approval is confirmed, the malicious user can obtain extra tokens from the victim.

Proof of Concept

  1. User A approves 10 USDz for User B.

  2. User A wants to add 5 USDz to the approval, so they send a transaction to approve 15 USDz for User B.

  3. User B front-runs this approval transaction by spending the 10 previously approved USDz before the new approval is processed.

Final state: User B has 10 USDz + 15 USDz = 25 USDz, effectively taking 10 extra USDz from User A.

Impact

This vulnerability leads to the loss of partial funds for the user.

Tools Used

Manual review.

Recommendations

Override the ERC20::_approve(address owner, address spender, uint256 value, bool emitEvent) function to allow approvals only if the spender has no previously approved tokens:

function _approve(address owner, address spender, uint256 value, bool emitEvent) internal virtual {
if (owner == address(0)) {
revert ERC20InvalidApprover(address(0));
}
if (spender == address(0)) {
revert ERC20InvalidSpender(address(0));
}
+ if (_allowances[owner][spender] != 0) {
+ revert();
+ }
_allowances[owner][spender] = value;
if (emitEvent) {
emit Approval(owner, spender, value);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.