Grifeing Attack

[kalpshah284]

Bug Description

• Where:
  provideWithPermit and provideForWithPermit

• Expected behavior:
  The provideWithPermit and provideForWithPermit functions utilize the permit function so that approve and pull operations can happen in a single transaction instead of two consecutive transactions.

• Attack:

  ERC20Permit uses the nonces mapping for replay protection. Once a signature is verified and approved, the nonce increases, invalidating the same signature being replayed.

  provideWithPermit and provideForWithPermit expect the holder to sign their tokens and provide the signature to the contract as part of permitData

  When a provideWithPermit and provideForWithPermit transaction is in the mempool, an attacker can take this signature, and call the permit function on the token themselves.

  Since this is a valid signature, the token accepts it and increases the nonce.

  This makes the spender's transaction fail whenever it gets mined.

-Impact

An attacker can ensure all calls to provideWithPermit and provideForWithPermit fail for the first time.

-Risk Breakdown

Difficulty to Exploit: Easy
Weakness:
CVSS2 Score:

-Recommendation

In the provideWithPermit and provideForWithPermit function, check if it has the approval it needs. If not, then only submit the permit signature.
if (IERC20(_token).allowance(owner, spender) < amount) { IERC20PermitUpgradeable(_token).permit(msg.sender, address(this), amount, deadline, v, r, s); }

[georgeciubotaru]

Hi @kalpshah284 thank you for reporting the issue. I've passed the issue on to our security team. I will let you know the resolution.

[kalpshah284]

thank you sir

[zolotokrylin]

@kalpshah284 thank you for the report. Can you please send me a message in Discord.zolotokrylin – my user name.

[kalpshah284]

yes sir

[kalpshah284]

I send request kalp284