EBTCToken is not compliant with ERC-20 #92
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
insufficient quality report
This report is not of sufficient quality
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/EBTCToken.sol#L134-L150
Vulnerability details
Impact
EBTCToken is defined as: "ERC20 EbtcToken, with permit approvals and extensible minting.".
However, there are some deviations from ERC-20 in its implementation, which implies, that EBTCToken is not compliant with ERC-20.
This may cause unexpected behavior due to being non compliant with ERC-20. Other protocols that integrate with contract may incorrectly assume that it's ERC-20 compliant - especially that documentation states that it's ERC-20. Any deviation from this standard will broke the composability and may lead to fund loss. While protocol's implements a contract and describes it as ERC-20, it should fully conform to ERC-20 standard.
During the previous Code4rena, lack of EIP compliance were evaluated as High/Medium:
Proof of Concept
File: EBTCToken.sol
Function
transferFrom()
, firstly performs the transfer:_transfer()
at line 140, and then - it checks for allowances (lines 142-146).This makes this token to be not compliant with ERC-20 standard.
Let's check for the OpenZeppelin
transferFrom()
implementation:As demonstrated above,
_spendAllowance()
is called before_transfer()
. While inEBTCToken
token implementation - we firstly perform_transfer()
, and then, we check for the allowance.Tools Used
Manual code review
Recommended Mitigation Steps
Check for allowances before performing ERC-20 transfer.
Assessed type
ERC20
The text was updated successfully, but these errors were encountered: