Permit does not allow partial allowances

[smoelius]

Permit does not allow partial allowances

Severity: Informational
Difficulty: High

Description

permit allows one to approve only zero or everything:

gnt2/gnt2-contracts/src/contracts/GNT2/NewGolemNetworkToken.sol

Lines 64 to 65 in 1fb991c

	uint wad = allowed ? uint(- 1) : 0;
	_approve(holder, spender, wad);

This schema creates an incentive to behave maliciously for the spender. Having a decreasePermit/increasePermit would be safer, in particular for holders with large token balances.

Exploit Summary

Alice signs a permit for Bob to spend NGNT tokens on her behalf. Since Alice trusts Bob, she does not find this concerning. Eve holds Bob at gunpoint and forces him to give up his private keys. Eve uses Bob's private keys and the signed permit to steal all of Alice's NGNT tokens.

Recommendation

Implement decreasePermit and increasePermit functions that decrease and increase a spender's allowance (respectively), similar to OpenZeppelin's decreaseAllowance and increaseAllowance functions.

[shadeofblue]

by a design choice, permit will never be used that way.

We'll clearly recommend against issuing permits to individual private keys and thus permits will only be given to contracts. There will be a very select, presumably also audited set of contracts that we will ever recommend issuing permit for.