Double Allowance Exploit via Approve
Summary
Using approve to change the allowance introduces risks, as an attacker might front-run the transaction and use both the old and new allowances simultaneously. It is recommended to use increaseAllowance or decreaseAllowance to avoid this issue.
Vulnerability Details
The specific scenario is as follows:
The Owner approves 10 ether for the consumer.
The Owner intends to change the approval from 10 ether to 1 ether.
Before the transaction is executed, the consumer transfers the 10 ether approved by the Owner to their own account.
The Owner executes the transaction (changing the approval from 10 ether to 1 ether), and the consumer can transfer the 1 ether to their account.
At this point, the Owner only intends to approve 1 ether for the consumer, but the consumer ends up with 10 ether + 1 ether, exceeding the Owner's approved amount.
Impact
Using approve to change the allowance introduces risks, as someone might exploit an unfortunate transaction order to simultaneously use both the old and new allowances.
Tools Used
Manual review
Recommendations
In WToken.sol, prefer using increaseAllowance/decreaseAllowance over approve.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.