Audit Anomalies Archive — Issue#12

Zuhaib Mohammed
2 min readMay 29, 2024

--

I’m sure by now you are aware of the popular front-running attack. The way it work is, a user pays higher gas fees to get their transaction executed first. Common examples of frontrunning include sandwich attacks or those executed by MEV bots during arbitrage.

ERC20Permit

It is an extension of the popular ERC-20 standard that allows for gasless approvals through signatures. This is achieved by introducing a permit function, which accepts the owner's signed message authorizing the spender to use a specified amount for a certain period. This enhances usability and reduces transaction costs and is defined in EIP-2612.

The Issue

By design, the token ignores the msg.sender in the permit call, and the parameters of this function can be easily seen in the mempool. As a result, any malicious user monitoring the mempool can frontrun this transaction. This can lead to a Denial-Of-Service(DoS) situation for the user.

function depositWithPermit(address user, uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public {
erc20.permit(user, address(this), amount, deadline, v, r, s);
require(erc20.transferFrom(user, address(this), amount), "Transfer failed");

deposits[user] += amount;
}

Let’s understand this with an example. When a user calls the depositWithPermit() function on a contract, a malicious user can frontrun this transaction by calling erc20.permit using the same v, r, and s inputs. Consequently, since the signature has already been used by the frontrunning transaction, the actual transaction will revert with an "invalid signature" error.

Even though the impact of this issue is relatively low because users can still deposit using the conventional approve and transferFrom methods, this issue discovered by the team at trust-security highlights the importance of thinking outside the box. It shows how combining different attack vectors, such as authorization and frontrunning, can cause a DoS attack on honest users.

You can read the blog posted by trust-securityhttps://www.trust-security.xyz/post/permission-denied

For a code sample to understand the issue, pseduo source code can be found in this link.

Thanks for Reading !

Connect with me: https://linktr.ee/zuhaib44

--

--