Token is not ERC20 compliant (potential DOS of other contracts by oracle) #6
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
TomFrench
Vulnerability details
Impact
calling
transferFrom
withamount
will reduce the callers allowance by an amount other thanamount
.This under some circumstances can result in funds being locked in external contracts which perform exact approvals.
Proof of Concept
As a rebasing wrapper for ibBTC, wibBTC's
transferFrom
converts the passedamount
into terms of the underlying shares to perform the transfer.approve
however does not do this which opens up a potential issue.As
pricePerShare
is expected to be greater than 1 then this is unlikely to cause any major problems - the worst that will happen is there's some unexpected leftover allowance and we don't get an expected gas refund.However should
pricePerShare
< 1 (through loss of assets or a malicious oracle) then this code will start reverting and could potentially lock some wibBTC in contracts which rely on this behaviour untilpricePerShare
> 1 is once again true.Recommended Mitigation Steps
Override
approve
function and add similar logic to that intransfer
, updatetransferFrom
to reduce allowance byamount
rather thanamountInShares
The text was updated successfully, but these errors were encountered: