Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

### **ERC20 Unrestricted Re-Approval Exploit (Front-Running Attack on `approve`)

usengo

Summary

The contract is vulnerable to an Unrestricted Re-Approval Exploit, a common issue in ERC20 tokens. This occurs when a spender (attacker) can front-run the owner's approve transaction to continuously drain their balance.

Vulnerability Details

The vulnerability exploits a fundamental flaw in the ERC20 approve() mechanism, where an attacker can front-run approval transactions to drain the victim’s funds repeatedly. This is a well-known issue with ERC20 tokens that do not implement safe allowance updates.

The approve() function allows an owner to authorize a spender to use their tokens. However, it does not enforce any restrictions on re-approvals, making it susceptible to a front-running attack.

function approve(address spender, uint256 amount) external returns (bool);

function transferFrom(

address sender,

address recipient,

uint256 amount

) external returns (bool);

Impact

This vulnerability allows an attacker to continuously drain a victim’s ERC20 token balance by exploiting the unsafe approve() mechanism.

Tools Used

Ran unit tests to simulate and confirm the exploit scenario.

Recommendations

Implement EIP-2612 (Permit), which allows token approvals via signed messages instead of transactions:

bytes32 structHash = keccak256(

abi.encode(

keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"),

owner, spender, value, _nonces[owner]++, deadline

)

);

bytes32 digest = keccak256(

abi.encodePacked("\x19\x01", DOMAIN_SEPARATOR, structHash)

);

address signer = ecrecover(digest, v, r, s);

require(signer == owner, "Invalid signature");

allowances[owner][spender] = value;

emit Approval(owner, spender, value);}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.