Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0xlucky - repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds #131

Closed
sherlock-admin4 opened this issue Jul 13, 2024 · 0 comments
Closed

0xlucky - repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds #131

sherlock-admin4 opened this issue Jul 13, 2024 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Jul 13, 2024
edited by sherlock-admin2
Loading

0xlucky

High

repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds

Summary

Attacker can use a pending repayBorrowWithERC20Permit() transaction's signatures visibility in mempool to increment the nonce by front-running them, causing the spender's (victim) transaction to fail. We use permit function as repay transaction and approve transaction can be done in one single transaction

Vulnerability Detail

In permit , user give authorization to token transfers, and no need of native gas in their wallet. and in this when one nonce is submitted it cannot be replayed.

In our case, user sign approval , so that trusted service will utilize approved funds , as user has executed function onchain.
User sign and gives data as permit-data

When the repayBorrowWithERC20Permit ' function transactions are in the mempool, an attacker can take this signature, and call the permit` function on the token themselves.

Since this is a valid signature, the token accepts it and increases the nonce.

which increase the nonces, so that when the contract submits the permit transaction to token, it will revert.
As a result, user entire repayBorrowWithERC20Permit() transaction will revert.

Impact

All transaction of repayBorrowWithERC20Permit by user will be greifed by th attacker and it will revert.

user will not able to repay the borrow ammount, at tthat particular time , which might could lead to user loss

Code Snippet

 function repayBorrowWithERC20Permit(
    address borrower,
    uint256 amount,
    uint256 deadline,
    uint8 v,
    bytes32 r,
    bytes32 s
  ) external whenNotPaused {
    IERC20Permit erc20Token = IERC20Permit(underlying);
    erc20Token.permit(msg.sender, address(this), amount, deadline, v, r, s);

    if (!accrueInterest()) revert AccrueInterestFailed();
    uint256 interest = calculatingInterest(borrower);
    _repayBorrowFresh(msg.sender, borrower, decimalScaling(amount, underlyingDecimal), interest);
}

Tool used

Manual Review

Recommendation

In therequestWithdrawWithPermit Function, check if it has the approval it needs. If not, then only submit the permit signature.

Duplicate of #65
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 15, 2024
@sherlock-admin2 sherlock-admin2 changed the title Teeny Daffodil Bat - repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds 0xlucky - repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds Jul 19, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 19, 2024
@WangSecurity WangSecurity removed the Medium A valid Medium severity issue label Aug 9, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Aug 9, 2024
@sherlock-admin4 sherlock-admin4 removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WangSecurity @sherlock-admin2 @sherlock-admin4