Approved spender can spend too many tokens #43
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
cmichel
Vulnerability details
The
approve
function has not been overridden and therefore uses the internal shares, whereastransfer(From)
uses the rebalanced amount.Impact
The approved spender may spend more tokens than desired. In fact, the approved amount that can be transferred keeps growing with
pricePerShare
.Many contracts also use the same amount for the
approve
call as for the amount they want to have transferred in a subsequenttransferFrom
call, and in this case, they approve an amount that is too large (as the approvedshares
amount yields a higher rebalanced amount).Recommended Mitigation Steps
The
_allowances
field should track the rebalanced amounts such that the approval value does not grow. (This does not actually require overriding theapprove
function.)In
transferFrom
, the approvals should then be subtracted by the transferredamount
, not theamountInShares
:The text was updated successfully, but these errors were encountered: