increaseAlloance and decreaseAllowance function are removed from ERC-20 because of avoiding fishing attack. #567
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-320
low quality report
This report is of especially low quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
|
raymondfam marked the issue as low quality report |
c4-pre-sort
added
the
low quality report
|
raymondfam marked the issue as duplicate of #320 |
|
gzeon-c4 marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L139-L159
Vulnerability details
Impact
Recently, the increaseAllowance function has been removed from the OpenZeppelin ERC20 contract due to its exploitation in phishing attacks and to prevent the possibility of further phishing attacks. While it does not directly lead to vulnerabilities, it is advisable to remove the increaseAllowance function from the ERC20 contract as it could potentially be exploited in sophisticated attacks.
please read for the more detail;
OpenZeppelin/openzeppelin-contracts#4583
Proof of Concept
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/token/ERC20.sol#L139-L159
Tools Used
manual review
Recommended Mitigation Steps
considering removing increaseAllowance/decreaseAllowance function from ERC20 contract
Assessed type
ERC20
The text was updated successfully, but these errors were encountered: