Audit Anomalies Archive — Issue#12
I’m sure by now you are aware of the popular front-running attack. The way it work is, a user pays higher gas fees to get their transaction executed first. Common examples of frontrunning include sandwich attacks or those executed by MEV bots during arbitrage.
ERC20Permit
It is an extension of the popular ERC-20 standard that allows for gasless approvals through signatures. This is achieved by introducing a permit
function, which accepts the owner's signed message authorizing the spender to use a specified amount for a certain period. This enhances usability and reduces transaction costs and is defined in EIP-2612.
The Issue
By design, the token ignores the msg.sender
in the permit
call, and the parameters of this function can be easily seen in the mempool. As a result, any malicious user monitoring the mempool can frontrun this transaction. This can lead to a Denial-Of-Service(DoS) situation for the user.
function depositWithPermit(address user, uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public {
erc20.permit(user, address(this), amount, deadline, v, r, s);
require(erc20.transferFrom(user, address(this), amount), "Transfer failed");
deposits[user] += amount;
}
Let’s understand this with an example. When a user calls the depositWithPermit()
function on a contract, a malicious user can frontrun this transaction by calling erc20.permit
using the same v
, r
, and s
inputs. Consequently, since the signature has already been used by the frontrunning transaction, the actual transaction will revert with an "invalid signature" error.
Even though the impact of this issue is relatively low because users can still deposit using the conventional approve
and transferFrom
methods, this issue discovered by the team at trust-security highlights the importance of thinking outside the box. It shows how combining different attack vectors, such as authorization and frontrunning, can cause a DoS attack on honest users.
You can read the blog posted by trust-security — https://www.trust-security.xyz/post/permission-denied
For a code sample to understand the issue, pseduo source code can be found in this link.
Thanks for Reading !