0xlucky - repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds

[sherlock-admin4]

0xlucky

High

repayBorrowWithERC20Permit() function can be griefed by attacker and user will not be able to repay the borrow funds

Summary

Attacker can use a pending repayBorrowWithERC20Permit() transaction's signatures visibility in mempool to increment the nonce by front-running them, causing the spender's (victim) transaction to fail. We use permit function as repay transaction and approve transaction can be done in one single transaction

Vulnerability Detail

In permit , user give authorization to token transfers, and no need of native gas in their wallet. and in this when one nonce is submitted it cannot be replayed.

In our case, user sign approval , so that trusted service will utilize approved funds , as user has executed function onchain.
User sign and gives data as permit-data

When the repayBorrowWithERC20Permit ' function transactions are in the mempool, an attacker can take this signature, and call the permit` function on the token themselves.

Since this is a valid signature, the token accepts it and increases the nonce.

which increase the nonces, so that when the contract submits the permit transaction to token, it will revert.
As a result, user entire repayBorrowWithERC20Permit() transaction will revert.

Impact

All transaction of repayBorrowWithERC20Permit by user will be greifed by th attacker and it will revert.

user will not able to repay the borrow ammount, at tthat particular time , which might could lead to user loss

Code Snippet

 function repayBorrowWithERC20Permit(
    address borrower,
    uint256 amount,
    uint256 deadline,
    uint8 v,
    bytes32 r,
    bytes32 s
  ) external whenNotPaused {
    IERC20Permit erc20Token = IERC20Permit(underlying);
    erc20Token.permit(msg.sender, address(this), amount, deadline, v, r, s);

    if (!accrueInterest()) revert AccrueInterestFailed();
    uint256 interest = calculatingInterest(borrower);
    _repayBorrowFresh(msg.sender, borrower, decimalScaling(amount, underlyingDecimal), interest);
}

Tool used

Manual Review

Recommendation

In therequestWithdrawWithPermit Function, check if it has the approval it needs. If not, then only submit the permit signature.

Duplicate of #65