My contract wants to increase a user’s allowance by +5. I simply call
safeIncreaseAllowance(user, 5) as recommended by the SafeERC20 contract.
An auditor suggested the following:
safeIncreaseAllowance(user, 0); safeIncreaseAllowance(user, 5); This does not make sense to me, as the first call does nothing. I think he’s copying the pattern for
Question: Is my call above safe with respect to the known vulnerability to
I read about the vulnerability in
approve. It looks to me like most people are still doing this wrong. AFAIK, the “vulnerability” is only when you send 2 separate approve transactions and the attacker front runs the calls to grab more tokens than intended.
For example, yearn’s contracts do the following:
IERC20(want).safeApprove(ypool, 0); IERC20(want).safeApprove(ypool, _want);
How is this safer? The pair of calls is equivalent to calling
approve(ypool, _want). But the pair of calls is used to undermine the safety checks in