OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: medium
Invalid

Approval Race Condition (ERC20 Approve Front-Running)

microwise

Problem:
The ERC20 approve/transferFrom pattern is vulnerable if a user changes allowance from one non-zero value to another. An attacker can front-run and spend the old allowance before the new approval is set.

Risk:
Users may lose tokens unintentionally if an attacker exploits the race condition.

IERC20(_tokenToSell).safeTransferFrom(msg.sender, address(this), _amountToSell);

Risk

Reasoning:

  • This is a well-known ERC20 pattern issue and is not specific to your contract.

  • Exploitation requires an attacker to monitor for approval transactions and front-run them, which is possible but less common in practice for most tokens.

  • Most wallets and dApps now warn users about this and recommend safe approval patterns.

  • Depends on user behavior: If users follow best practices (set allowance to zero before increasing), the risk is minimal.

Summary:
Possible, but less likely unless users ignore best practices.

proof of Concept

// User sets allowance to 100, then tries to increase to 200
token.approve(orderBook, 200);
// Attacker front-runs and spends 100 before new approval
orderBook.createSellOrder(token, 100, 100, 1 days);
// Now user's intended 200 allowance is already partially spent

- token.approve(orderBook, newAmount);
+ token.approve(orderBook, 0);
+ token.approve(orderBook, newAmount);
Updates

Lead Judging Commences

yeahchibyke Lead Judge
about 2 months ago
yeahchibyke Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.