You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The transferFrom function used for the oDai and eDai tokens, mimicking the token implementation of Dai itself, has a special case in the allowance check such that if a user's allowance is set to 2^256-1 (the max unsigned integer), the allowance is considered to be infinite and never decreases unless modified explicitly by the allower. Though this behavior does not introduce security concerns we are aware of, it diverges from the expected ERC20 behavior and it should be documented explicitly so that users are aware of it and do not accidentally trigger this behavior.
Recommendations
Short term, outline the infinite allowance behavior in the project README.
Long term, always document any deviations from a specification to help facilitate compatibility.
The text was updated successfully, but these errors were encountered:
transferFrom includes non-standard infinite allowances
Severity: Informational
Difficulty: Low
Type: Undefined Behavior
Target: OrbitDai.sol
Description
The
transferFromfunction used for the oDai and eDai tokens, mimicking the token implementation of Dai itself, has a special case in the allowance check such that if a user's allowance is set to 2^256-1 (the max unsigned integer), the allowance is considered to be infinite and never decreases unless modified explicitly by the allower. Though this behavior does not introduce security concerns we are aware of, it diverges from the expected ERC20 behavior and it should be documented explicitly so that users are aware of it and do not accidentally trigger this behavior.Recommendations
Short term, outline the infinite allowance behavior in the project README.
Long term, always document any deviations from a specification to help facilitate compatibility.
The text was updated successfully, but these errors were encountered: