Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Erc20 Race condition #37

Open
code423n4 opened this issue Sep 8, 2021 · 2 comments
Open

Erc20 Race condition #37

code423n4 opened this issue Sep 8, 2021 · 2 comments

Comments

@code423n4
Copy link
Contributor

Handle

JMukesh

Vulnerability details

Impact

In nTokenERC20Proxy.sol there is no decreaseAllowance()/ IncreasAllowance() function which make it prone for double spending. A malicious attacker can execute a double-spend attack on an allowance by front-running the
execution of an approve() function that alters the state of a balance

Proof of Concept

https://github.com/code-423n4/2021-08-notional/blob/main/contracts/external/adapters/nTokenERC20Proxy.sol#L100

Tools Used

manula review

Recommended Mitigation Steps

add increaseAllowance()/ decreaseAllowance() functionality

@jeffywu
Copy link
Collaborator

jeffywu commented Sep 11, 2021

This is a well known issue with ERC20. The atomic increase and decrease to allowance also do not fully prevent the attack, it is also a very theoretical attack vector. This should be reduced to 0 Non-Critical.

@ghoul-sol
Copy link
Collaborator

Agree with sponsor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants