Itchy Ultraviolet Monkey - Token approvals are vulnerable to front-running attacks

[sherlock-admin3]

Itchy Ultraviolet Monkey

Medium

Token approvals are vulnerable to front-running attacks

Summary

The approve() function in CToken.sol and Numa.sol is vulnerable to front-running attacks. A malicious spender can front-run an approval change transaction to spend both the old allowance and the new allowance, potentially resulting in the loss of user tokens.

Root Cause

In CToken.sol and Numa.sol there are no functions to safely increase and decrease allowance

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Consider the following scenario:

1. Alice approves Bob to transfer 5 tokens
2. Alice decides to reduce this allowance to 3 tokens
3. Bob notices the allowance reduction tx in the mempool and frontruns it to spend the initial allowance of 5 tokens
4. Bob is granted a new allowance of 3 tokens, and spends it for a total of 8 tokens spent.

Impact

Malicious spender can front-run approve and spend more than intended

PoC

No response

Mitigation

Add increaseAllowance and decreaseAllowance functions to Numa and CToken