Guys how i can call the following permit() function, what parameters should i pass for v,r,s? Any help is appreciated!
function permit(
address owner,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) public virtual override {
require(block.timestamp <= deadline, "ERC20Permit: expired deadline");
bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, owner, spender, value, _useNonce(owner), deadline));
bytes32 hash = _hashTypedDataV4(structHash);
address signer = ECDSA.recover(hash, v, r, s);
require(signer == owner, "ERC20Permit: invalid signature");
_approve(owner, spender, value);
}
Jul 6, 2022, 7:02 AM
Also can this be exploited so random user approves the tokens for another user to spend and then transfer them to his account via the transferFrom() function?
I have read the ERC-721 for this purpose but i ended up even more confused from the beginning.
Jul 6, 2022, 7:05 AM
Its the signature you are going to pass
Jul 6, 2022, 7:15 AM
(v,r,s) are ECDSA components (digital signature)
Jul 6, 2022, 7:15 AM
v,r,s is derived from the sign
Jul 6, 2022, 7:16 AM
how do i get the signature?
Can this be exploited so users gets approval for spend on random addresses and withdraw each others tokens via transferFrom() function, because they will now have the allowances reuqired?
Can this be exploited so users gets approval for spend on random addresses and withdraw each others tokens via transferFrom() function, because they will now have the allowances reuqired?
Jul 6, 2022, 7:19 AM
Without the user signing the permit data using his wallet, no
Jul 6, 2022, 7:20 AM
There are many attack vectors one can use to trick victims. However, the function alone is safe
Jul 6, 2022, 7:21 AM
can they use the 0x0 address as owner so they 'mint' them tokens from the 0x0 address?
Jul 6, 2022, 7:21 AM
Then the '0x0' address will have to sign the data, which is kinda impossible as nobody owns that address (yet)
Jul 6, 2022, 7:23 AM
So what i understand from this so far is - anyone can request for approval to spend someone's tokens but they cannot access them until the requested party 'approve' their request. Am i getting this right?
thanks
So what i understand from this so far is - anyone can request for approval to spend someone's tokens but they cannot access them until the requested party 'approve' their request. Am i getting this right?
Jul 6, 2022, 7:27 AM
Think of it as like a real life permit. User A writes the following into a paper
"User B is granting access to User A for taking X amount from User B's wallet"
This has no validity until User B signs the paper right? That's exactly how erc20permit works too.
"User B is granting access to User A for taking X amount from User B's wallet"
This has no validity until User B signs the paper right? That's exactly how erc20permit works too.
Jul 6, 2022, 7:33 AM
Thanks, thats good clarification! So this cannot be abused as 'mint' fom 0x0 address and withdrawing ones tokens without interaction from the requested side, yes?
Jul 6, 2022, 7:36 AM
Yep just like normal approve-transferFrom pattern, you can't take it without the requested party's consent (sign)
Jul 6, 2022, 7:38 AM
thanks!
Jul 6, 2022, 7:38 AM