This repository has been archived by the owner on Apr 28, 2024. It is now read-only.
Milad-Sha - Remove custom function allowance #72
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Won't Fix
The sponsor confirmed this issue will not be fixed
Comments
github-actions
bot
added
the
Excluded
|
Not clearly showing how the current implementation could result in the impact described. |
sherlock-admin2
changed the title
ith-harvey
added
Won't Fix
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Milad-Sha
medium
Remove custom function allowance
Summary
The increaseAllowance and decreaseAllowance functions can add more bugs.
Vulnerability Detail
Recently, the increaseAllowance function has been removed from the OpenZeppelin ERC20 contract due to its exploitation in phishing attacks and to prevent the possibility of further phishing attacks.
See OpenZeppelin/openzeppelin-contracts#4583. We should remove the functions increaseLPAllowance and decreaseLPAllowance as they only solve an imaginary problem.
These functions are not part of the EIP-20 specs.
Impact
Using these functions will result in unexpected behaviour which will cause contracts to become corrupted.
These functions may allow for further phishing possibilities.
Code Snippet
https://github.com/sherlock-audit/2023-09-ajna/blob/main/ajna-core/src/libraries/external/LPActions.sol?plain=1#L55-L117
https://github.com/sherlock-audit/2023-09-ajna/blob/main/ajna-core/src/base/Pool.sol?plain=1#L454-L479
Tool used
Manual Review
Recommendation
considering removing increaseLPAllowance/decreaseLPAllowance function from LPActions contract.
Or implement a function similar to this SafeERC20 library which is still available.
The text was updated successfully, but these errors were encountered: