Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EBTCToken is not compliant with ERC-20 #92

Closed
c4-submissions opened this issue Nov 9, 2023 · 5 comments
Closed

EBTCToken is not compliant with ERC-20 #92

c4-submissions opened this issue Nov 9, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/EBTCToken.sol#L134-L150

Vulnerability details

Impact

EBTCToken is defined as: "ERC20 EbtcToken, with permit approvals and extensible minting.".

However, there are some deviations from ERC-20 in its implementation, which implies, that EBTCToken is not compliant with ERC-20.

This may cause unexpected behavior due to being non compliant with ERC-20. Other protocols that integrate with contract may incorrectly assume that it's ERC-20 compliant - especially that documentation states that it's ERC-20. Any deviation from this standard will broke the composability and may lead to fund loss. While protocol's implements a contract and describes it as ERC-20, it should fully conform to ERC-20 standard.

During the previous Code4rena, lack of EIP compliance were evaluated as High/Medium:

Proof of Concept

File: EBTCToken.sol

    function transferFrom(
        address sender,
        address recipient,
        uint256 amount
    ) external override returns (bool) {
        _requireValidRecipient(recipient);
        _transfer(sender, recipient, amount);

        uint256 cachedAllowance = _allowances[sender][msg.sender];
        if (cachedAllowance != type(uint256).max) {
            require(cachedAllowance >= amount, "ERC20: transfer amount exceeds allowance");
            unchecked {
                _approve(sender, msg.sender, cachedAllowance - amount);
            }
        }
        return true;
    }

Function transferFrom(), firstly performs the transfer: _transfer() at line 140, and then - it checks for allowances (lines 142-146).
This makes this token to be not compliant with ERC-20 standard.
Let's check for the OpenZeppelin transferFrom() implementation:

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/94697be8a3f0dfcd95dfb13ffbd39b5973f5c65d/contracts/token/ERC20/ERC20.sol#L154-L159

   function transferFrom(address from, address to, uint256 value) public virtual returns (bool) {
       address spender = _msgSender();
       _spendAllowance(from, spender, value);
       _transfer(from, to, value);
       return true;
   }

As demonstrated above, _spendAllowance() is called before _transfer(). While in EBTCToken token implementation - we firstly perform _transfer(), and then, we check for the allowance.

Tools Used

Manual code review

Recommended Mitigation Steps

Check for allowances before performing ERC-20 transfer.

Assessed type

ERC20
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 9, 2023
c4-submissions added a commit that referenced this issue Nov 9, 2023
@c4-submissions
lsaudit issue #92
900b01e
@bytes032
Copy link

Invalid

@c4-pre-sort
Copy link

bytes032 marked the issue as insufficient quality report

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Nov 15, 2023
@GalloDaSballo
Copy link

This statement is beyond exagerated

@c4-sponsor
Copy link

GalloDaSballo (sponsor) disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Nov 20, 2023
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Nov 26, 2023
@c4-judge
Copy link

jhsagd76 marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@GalloDaSballo @c4-judge @c4-sponsor @c4-pre-sort @bytes032 @c4-submissions