1/ Do you think ERC20 approve() is safe? Well… 🧵

Function in itself is safe but there are two scenario where ERC20 approve() shows its rough edges.

First is a front-running attack on approve().

Imagine following scenario 👇
* Alice approves Bob for 20 Tokens
* After some time, Alice changes approve to 10
* Bob front-runs the Alice TX for approve(10)
* Bob spends 20 Tokens
* Alice TX passes
* Bob spends additional 10 Tokens from Alice.

Why is that?
3/ Attack is also possible because approve() overrides current allowance.

It doesn’t increase/decrease allowance in atomic manner.

How can we limit against that?

There are two approaches to limit the attack vector.
4/ First:

Send one transaction setting allowance to 0, reseting the allowance for Bob.

The second transaction is approve of the new desired amount.

Main issue is Alice needs two perform two transaction losing costs on gas prices.

5/ Utilize non-standard functions like increaseAllowance and decreaseAllowance.

These functions are part of standard OpenZeppelin ERC20 implementation.

These non-standard functions are increasing and decreasing allowance as an atomic operation through simple trick.
6/ Instead of sending final value we are interested in, we send current allowance with desired change in value.

Bob can still front-run first approve but with increaseAllowance, he can only claim the change in value.

Instead of setting 30 as new value, we set 10 as new value
7/ Similar with decreaseAllowance.

Bob can still front-run first approve, but when he claims all 20 tokens, Alice’s TX with decreaseAllowance will revert due to subtraction from 0.

That’s for front-running approve.

What about the second issue I mentioned in the begging?
8/ Many projects requires you to approve their smart contracts for some operations.

Uniswap requires approve() so they can execute the transaction instead of you directly sending the tokens.

When you want to swap X token for Y, you need to approve Uniswap to perform the trade.
9/ Often times people approve more than they are spending. For example


That approves the maximum value of uint, which is 2^256.

If you would do this on Uniswap, that’s ok as it is a trusted and verified project.

What about new projects?
10/ The issue is if we do the same for the protocol that just has launched or don't have all contracts verified on etherscan.

This time we don't know what exactly is happening, and we can't check the code logic.

What can happen if we did that for malicious contract? Scenario👇
* Alice approves max uint of DAI to new AMM contracts
* Projects does a rug pull
* Steals all the money from the pools
* Steals money from Alice’s wallet as contract have unlimited allowance from Alice for their DAI.

Looks scary and not probable. But does it really? 🍿🤯
12/ That’s exactly what has happened today to StableMagnet.

I won’t go into the details as @RektHQ did a great write-up of the whole situation.


How can we protect ourselves from situation like 13this?
13/ Approve only the amount you want to spend on the protocol.

You never know what lurks in the dark and if contracts can be trusted.

During a hack, revoke all your allowance on the project.

DeFi contains a lot of predators. Be aware of them and always do your own diligence.
14/ If you want to read in details about the above ERC20 approve issue, please check out my newest blog post.


I give more details examples to help you understand the issue.

#Ethereum #ERC20 #DeFi
* front-run attack can be done on second approve() tx
* double-spend is possible due to above
* increase/decrease allowance from OZ limits the attack
* never approve unlimited amounts of token to the contract

If you like my content , you can subscribe to 📬 on my blog 👆

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Adrian ⛩️ Hetman 🐺⚔️

Adrian ⛩️ Hetman 🐺⚔️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @adrianhetman

23 Jun
1/How @ElevenFinance got hacked? 🧵

The exploit was possible due to a bug in emergencyBurn() function of ElevenNeverSellVault.

There is a transfer of previously deposited funds during the function call, but there is a lack of burning of Nerve shares to account for the transfer Image
2/ In other words, an attacker could double-spend Nerve shares he acquired during initial deposit to the vault.

emergencyBurn() didn’t burn 11NRV Tokens so an attacker used them in “withdrawAll()” to get additional LP Tokens in return.
3/ He burned LP Tokens on PancakeSwap getting the underlying tokens.

After repaying the FlashSwap, attacker was left with funds from burning second time the 11NRV Tokens.

This was done on multiple vaults on ElevenFinance, marking a total loss of $4.5M.
Read 4 tweets
21 Jun
1/ Why China is cracking down on #Bitcoin? 🧵

Currently many of the Chinese provinces where Bitcoin miners resided, rolled out new policies restricting or banning the #BTC miners.

Inner Mongolia, Xinjiang, Yunnan and Sichuan banned Bitcoin.
2/ Energy companies were told to stop providing energy to crypto miners due to them using too much electricity.

It became an illegal activity to mine cryptocurrencies. If someone would be found to do so regardless, they would be added to the blacklist of social credit system.
3/ All decision seems to be linked mainly with Energy usage.

China plans to achieve carbon neutrality by 2060 and reducing carbon intensity or the amount of carbon emitted per unit of GDP, by more than 65% by 2030.

Bitcoin mining ban can help with that.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!