Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Audit][M-03] Changing amount of account access is open to a sandwich attack #237

Open
antoncoding opened this issue Aug 3, 2023 · 0 comments
Assignees

Comments

@antoncoding
Copy link
Member

antoncoding commented Aug 3, 2023

Severity: Medium
Description:
The BaseEngine contract has the option to allow any other entity to perform actions on behave. This is recorded with an amount of actions which is inputted. This leads to the typical allowance vulnerability where allowance is set to x amount and changed to a new amount.

Simple example where this could lead to an issue:

  • UserA has set UserB to 50 allowedExecutions
  • UserB already executed 5 times, making allowedExecution 45
  • UserA now wants to grant another 10 actions, sending a tx to adjust the number to 55
  • UserB front runs UserA, spend the remaining 45 executions, and got another 55 times after the tx above is mined.
@antoncoding antoncoding self-assigned this Aug 3, 2023
@antoncoding antoncoding transferred this issue from grappafinance/full-collat-engine Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant