scout-soroban icon indicating copy to clipboard operation
scout-soroban copied to clipboard

Published 20 hours ago verified publisher icon CoinFabrik

Expired allowance miscalculation

Open matiascabello opened this issue 6 months ago • 0 comments

This issue involves a poor implementation of the allowance function in the Token SEP-041 interface. While the approve function in SEP-041 allows passing an expiration_ledger:

fn approve(e: Env, from: Address, spender: Address, amount: i128, expiration_ledger: u32)

The allowance function only returns the amount:

fn allowance(e: Env, from: Address, spender: Address) -> i128

This can lead to implementations that compile but do not account for expiration_ledger. For example:

fn allowance(e: Env, from: Address, spender: Address) -> i128 {
    let result = storage::get_allowance(&e, &from, &spender);
    result.amount
}

Proposal

If the TokenInterface is implemented (this could be verified by checking if the trait is imported and implemented), ensure that allowance includes something like:

fn allowance(e: Env, from: Address, spender: Address) -> i128 {
    let result = storage::get_allowance(&e, &from, &spender);
    if e.ledger().sequence() > result.expiration_ledger {
        0
    } else {
        result.amount
    }
}

matiascabello avatar Jul 31 '24 18:07 matiascabello