You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The code here that we use to get token transfer information from ERC20 contract transactions is potentially unsafe. It will fail if an ERC20 token contract does not throw an exception when a sender has insufficient funds for a transfer. In that case, an attacker could make a transfer for the correct amount without having adequate token funds and the resulting transaction will pass our verification checks. We've confirmed that the DAI contract will throw an exception when a sender doesn't have adequate funds so this issue doesn't currently affect our supported payment tokens (which are only DAI).
How can it be fixed?
If a token contract does not raise for insufficient funds, we'll need to check for log events, in payment transactions, that indicate a successful transfer.
The text was updated successfully, but these errors were encountered:
What was wrong?
The code here that we use to get token transfer information from ERC20 contract transactions is potentially unsafe. It will fail if an ERC20 token contract does not throw an exception when a sender has insufficient funds for a transfer. In that case, an attacker could make a transfer for the correct amount without having adequate token funds and the resulting transaction will pass our verification checks. We've confirmed that the DAI contract will throw an exception when a sender doesn't have adequate funds so this issue doesn't currently affect our supported payment tokens (which are only DAI).
How can it be fixed?
If a token contract does not raise for insufficient funds, we'll need to check for log events, in payment transactions, that indicate a successful transfer.
The text was updated successfully, but these errors were encountered: