Lines of code

Vulnerability details

Impact

It could cause damage to third parties who use the permit method for transferring the tokens.

Proof of Concept

The well contract extends the ERC20Permit.sol, which contains a permit function that allow users to transfer assets with signatures.

/**
 * @dev Implementation of the ERC20 Permit extension allowing approvals to be made via signatures, as defined in
 * https://eips.ethereum.org/EIPS/eip-2612[EIP-2612].
 *
 * Adds the {permit} method, which can be used to change an account's ERC20 allowance (see {IERC20-allowance}) by
 * presenting a message signed by the account. By not relying on {IERC20-approve}, the token holder account doesn't
 * need to send a transaction, and thus is not required to hold Ether at all.
 */

When using a permit() function for verification on transferring the tokens, it may cause possible front-running attacks on it.
For example, if a third-party protocol such as a Farming contract using permit() function to perform the transfer during deposit. The attacker can spot the signature in the mempool and do the transfer before the deposit happens. Therefore, the user would loss the tokens he is going to deposit.

Recommended Mitigation Steps

Recommend warn the community the possible issues they might encounter when using the token

Assessed type

ERC20

The text was updated successfully, but these errors were encountered:

All reactions