Fujicracy · 0xdcota · Mar 22, 2023 · Mar 13, 2023 · Mar 13, 2023 · 0xcuriousapple
diff --git a/packages/protocol/src/abstracts/BaseVault.sol b/packages/protocol/src/abstracts/BaseVault.sol
@@ -187,7 +187,7 @@ abstract contract BaseVault is ERC20, SystemAccessControl, PausableVault, VaultP
    * @dev Called during {ERC20-transferFrom} to decrease allowance.
    * Requirements:
    * - Must be overriden to call {VaultPermissions-_spendWithdrawAllowance}.
-   * - Msut convert `shares` to `assets` before calling internal functions.
+   * - Must convert `shares` to `assets` before calling internal functions.
    *
    * @param owner of `shares`
    * @param operator allowed to act on `owners` behalf
@@ -205,6 +205,20 @@ abstract contract BaseVault is ERC20, SystemAccessControl, PausableVault, VaultP
     _spendWithdrawAllowance(owner, operator, receiver, convertToAssets(shares));
   }
 
+  /**
+   * @dev Called during {ERC20-transferFrom} to decrease allowance.
+   * Requirements:
+   * - Must be overriden to call {VaultPermissions-_spendWithdrawAllowance}.
+   * - Must convert `shares` to `assets` before calling internal functions.
+   *
+   * @param owner of `shares`
+   * @param receiver to whom `shares` will be spent
+   * @param shares amount to spend
+   */
+  function _spendAllowance(address owner, address receiver, uint256 shares) internal override {
+    _spendWithdrawAllowance(owner, receiver, receiver, convertToAssets(shares));
 function increaseWithdrawAllowance( 
   address operator, 
   address receiver, 
   uint256 byAmount 
 ) 
   public 
   override 
   returns (bool) 
 { 
   address owner = msg.sender; 
   _setWithdrawAllowance( 
     owner, operator, receiver, _withdrawAllowance[owner][operator][receiver] + byAmount 
   ); 
   return true; 
 } 
 function increaseWithdrawAllowance( 
   address operator, 
   address receiver, 
   uint256 byAmount 
 ) 
   public 
   override 
   returns (bool) 
 { 
   address owner = msg.sender; 
   _setWithdrawAllowance( 
     owner, operator, receiver, _withdrawAllowance[owner][operator][receiver] + byAmount 
   ); 
   return true; 
 } 
+  }
+
   /*//////////////////////////////////////////
       Asset management: overrides IERC4626
   //////////////////////////////////////////*/

diff --git a/packages/protocol/test/mocking/vaults/VaultPermissions.t.sol b/packages/protocol/test/mocking/vaults/VaultPermissions.t.sol
@@ -479,4 +479,37 @@ contract VaultPermissionsUnitTests is MockingSetup, MockRoutines {
       wrongPermit.owner, wrongPermit.receiver, wrongPermit.amount, wrongPermit.deadline, v, r, s
     );
   }
+
+  function testFail_spendAllowanceIssue() public {
+    do_deposit(1 ether, vault, owner);
+
+    vm.startPrank(owner);
+    vault.approve(receiver, 1 ether);
+    uint256 allowance1 = vault.allowance(owner, receiver);
+    vm.stopPrank();
+
+    vm.startPrank(receiver);
+    vault.transferFrom(owner, receiver, 1 ether);
+    uint256 allowance2 = vault.allowance(owner, receiver);
+    vm.stopPrank();
+
+    assertEq(allowance1, allowance2);
+  }
+
+  function test_spendAllowanceIssue() public {
+    do_deposit(1 ether, vault, owner);
+
+    vm.startPrank(owner);
+    vault.approve(receiver, 1 ether);
+    uint256 allowance1 = vault.allowance(owner, receiver);
+    vm.stopPrank();
+
+    vm.startPrank(receiver);
+    vault.transferFrom(owner, receiver, 1 ether);
+    uint256 allowance2 = vault.allowance(owner, receiver);
+    vm.stopPrank();
+
+    assertEq(allowance1, 1 ether);
+    assertEq(allowance2, 0);
+  }
 }