Rough Brick Meerkat - EIP-2612 permit functionality not respected

[sherlock-admin3]

Rough Brick Meerkat

Medium

EIP-2612 permit functionality not respected

Summary

Vulnerability Detail

In the functions ‘permitAndStake’ and ‘permitAndStakeMore’ in the file GovernanceStakerPermitAndStake.sol, even when the stake token support EIP-2612 permit functionality, these functions ignores the permit call failures (e.g., due to a signature mismatch or expired deadline) and continues execution without reverting as it uses try / catch with the permit call. In the instance, the basic purpose and advantage of permit call is defeated.

  function permitAndStake(
    uint256 _amount,
    address _delegatee,
    address _claimer,
    uint256 _deadline,
    uint8 _v,
    bytes32 _r,
    bytes32 _s
  ) external virtual returns (DepositIdentifier _depositId) {
    try IERC20Permit(address(STAKE_TOKEN)).permit(
      msg.sender, address(this), _amount, _deadline, _v, _r, _s
    ) {} catch {}
    _depositId = _stake(msg.sender, _amount, _delegatee, _claimer);
  }

Under the condition of any failure in the try/catch of permit call, the staker has to separately give ERC20 approval for the desired amount to be staked, which will be required prior to the execution of

    _depositId = _stake(msg.sender, _amount, _delegatee, _claimer);

Impact

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/b125d1f2b52170a3789b1060a52fc6609e6e2262/staker/src/extensions/GovernanceStakerPermitAndStake.sol#L37-L50

https://github.com/sherlock-audit/2024-11-tally/blob/b125d1f2b52170a3789b1060a52fc6609e6e2262/staker/src/extensions/GovernanceStakerPermitAndStake.sol#L63-L79

Tool used

Manual Review

Recommendation

Better to revert on the failure of permit call and informing the staker the reason of failure. This will enable the staker to take informed decision.