Security blog

Add new post Feed

Auditors space

Dapp Security list Audit Challenges Team formation

Dapps and protocols

Pre-audit plan Audit Profile

Dev Tools

Dev tools Testing tools

Protocol Marketing

Marketing tips

Misc

Support

Dark mode

AuditProfile, Copywright 2025

info@auditprofile.xyz

AuditProfile

Block: 84

Timestamp: 01:45:11

AuditProfile

Security blog

Try-catch block to save signature from hacker

The XDEFI protocol has a migration system that uses user signatures.

Migration functions can be temporarily blocked with a permission frontrun. An attacker can call permit with the user’s signature directly on the token contract and increment the nonce, reverting the migration tx:

    function permit(
        address owner_,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external override {
        require(owner_ != address(0), "ERC20: Owner cannot be 0");
        require(block.timestamp < deadline, "ERC20: Expired");
        bytes32 digest =
                        keccak256(
                abi.encodePacked(
                    EIP191_PREFIX_FOR_EIP712_STRUCTURED_DATA,
                    DOMAIN_SEPARATOR,
 >>                 keccak256(abi.encode(PERMIT_SIGNATURE_HASH, owner_, spender, value, nonces[owner_]++, deadline))
                )
            );

It is recommended to wrap token.permit() calls in a try-catch block to allow tx to continue if the permission has already been consumed:

function migrate(uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public {
+   try IERC20Permit(address(oldToken)).permit(msg.sender, address(this), amount, deadline, v, r, s) {} catch {}
    // send tokens
}

A very simple and nice fix for such problem.

Read the full report here:

Link: https://code4rena.com/reports/2024-08-xdefi-proleague#migration-is-vulnerable-to-permission-frontrun

#trycatch

#signature

#frontrun

Connent with me: