Avoid the use of increaseAllowance and decreaseAllowance from ERC20 that are recently deprecated #21
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
insufficient quality report
This report is not of sufficient quality
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/EBTCToken.sol?plain=1#L152-L170
Vulnerability details
Impact
Recently, the increaseAllowance function has been removed from the OpenZeppelin ERC20 contract due to its exploitation in phishing attacks and to prevent the possibility of further phishing attacks.
See (OpenZeppelin/openzeppelin-contracts#4583](OpenZeppelin/openzeppelin-contracts#4583) . We should remove the functions increaseAllowance and decreaseAllowance as they only solve an imaginary problem.
These functions are not part of the EIP-20 specs.
Using these functions will result in unexpected behaviour which will cause contracts to become corrupted.
These functions may allow for further phishing possibilities.
Proof of Concept
https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/EBTCToken.sol?plain=1#L152-L170
Tools Used
Manual code review
Recommended Mitigation Steps
considering removing increaseAllowance/decreaseAllowance function from EBTCToken contract.
Or implement a function similar to this SafeERC20 library which is still available.
Assessed type
ERC20
The text was updated successfully, but these errors were encountered: