Incompatibility of `permit` function with smart contract wallets in `QuantAMMWeightedPool`
Summary
The QuantAMMWeightedPool inherits BalancerPoolToken which is using the permit function from, which utilizes ECDSA.recover for signature verification. This method is incompatible with smart contract wallets as defined by EIP-4337, preventing these wallets from successfully using the permit functionality.
Given that many users, including large DeFi protocols and substantial funds, rely on smart contract wallets (e.g multisig wallets, integrations like Beefy Finance), this limitation effectively blocks a significant portion of the user base from interacting seamlessly with our pools.
Impact
Smart contract wallets, which manage substantial funds and are widely used by DeFi protocols, cannot utilize the permit feature, potentially causing a DoS by restricting access for these users.
Recommendation
Integrate OZ's SignatureChecker library in the permit function to support both EOAs and smart contract wallets, ensuring compatibility with EIP-1271 standards.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.