Report Date
December 18, 2022
Status
Closed
Payout
permit improvement to pipeline can be front runned
‣
BIC Response
This is not a security bug report because it describes expected behavior.
Say Alice calls farm in Depot and inside the data she attaches signatures to use permitERC20. Bob sees the transaction and calls permitERC20 with same the signatures as Alice. Now Pipeline has approval to spend Alice's funds.
Alice should use permitERC20 to approve Depot (not Pipeline) to spend Alice's funds. Any approval of Pipeline could result in loss of funds, but this is true for any EOA or malicious smart
contract. Pipeline should never receive approval of any token and never needs to receive approval.
Due to these reasons, we are closing the submission and no reward will be issued.