📄

Report #14917

Report Date
December 18, 2022
Status
Closed
Payout

permit improvement to pipeline can be front runned

Report Info

BIC Response

This is not a security bug report because it describes expected behavior.

Say Alice calls farm in Depot and inside the data she attaches signatures to use permitERC20. Bob sees the transaction and calls permitERC20 with same the signatures as Alice. Now Pipeline has approval to spend Alice's funds.

Alice should use permitERC20 to approve Depot (not Pipeline) to spend Alice's funds. Any approval of Pipeline could result in loss of funds, but this is true for any EOA or malicious smart contract. Pipeline should never receive approval of any token and never needs to receive approval.

Due to these reasons, we are closing the submission and no reward will be issued.