You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This schema creates an incentive to behave maliciously for the spender. Having a decreasePermit/increasePermit would be safer, in particular for holders with large token balances.
Exploit Summary
Alice signs a permit for Bob to spend NGNT tokens on her behalf. Since Alice trusts Bob, she does not find this concerning. Eve holds Bob at gunpoint and forces him to give up his private keys. Eve uses Bob's private keys and the signed permit to steal all of Alice's NGNT tokens.
Recommendation
Implement decreasePermit and increasePermit functions that decrease and increase a spender's allowance (respectively), similar to OpenZeppelin's decreaseAllowance and increaseAllowance functions.
The text was updated successfully, but these errors were encountered:
by a design choice, permit will never be used that way.
We'll clearly recommend against issuing permits to individual private keys and thus permits will only be given to contracts. There will be a very select, presumably also audited set of contracts that we will ever recommend issuing permit for.
Permit does not allow partial allowances
Severity: Informational
Difficulty: High
Description
permit
allows one to approve only zero or everything:gnt2/gnt2-contracts/src/contracts/GNT2/NewGolemNetworkToken.sol
Lines 64 to 65 in 1fb991c
This schema creates an incentive to behave maliciously for the
spender
. Having adecreasePermit
/increasePermit
would be safer, in particular for holders with large token balances.Exploit Summary
Alice signs a
permit
for Bob to spend NGNT tokens on her behalf. Since Alice trusts Bob, she does not find this concerning. Eve holds Bob at gunpoint and forces him to give up his private keys. Eve uses Bob's private keys and the signedpermit
to steal all of Alice's NGNT tokens.Recommendation
Implement
decreasePermit
andincreasePermit
functions that decrease and increase a spender's allowance (respectively), similar to OpenZeppelin'sdecreaseAllowance
andincreaseAllowance
functions.The text was updated successfully, but these errors were encountered: