Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

ERC20 Approve Race Condition.

obj

Summary

the _inceaseAllowance function calculates the allowance for the spender address with additional amount`

Vulnerability Details

the LLMOracle is vulnerable to a well- known race condition in the ERC20 standard. This race condition can occur when a user calls the approve function of an ERC20 token, then calls a transferFrom on the same token.

before the `feeToken.approves the spender could call transferFrom between the allowance check and the approve, thereby transfering the allowance before the approval is made, this sets the allowance to 0 which makes possible to approve the initial allowance + amount

function _increaseAllowance(address spender, uint256 amount) internal {

feeToken.approve(spender, feeToken.allowance(address(this), spender) + amount);

Impact

likelihood: medium, unintended funds get withdrawn from the contract.

Tools Used

Manual Review

Recommendations

The issue can be mitigated by the use of increaseAllowance and decreaseAllowance functions to modify the approvals.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.