pre-approve

pre-approve is a vulnerability where an approve() is performed in advance—before the resource lock hook is installed on a Smart Account—allowing an attacker to use transferFrom() to extract locked funds.

Description

In Smart Accounts that implement the ERC-7579 standard, funds can be locked using a resource lock hook during cross-chain operations. During the preCheck() phase of the resource lock hook, the calldata for asset transfers and approvals is inspected, and the corresponding amount is stored in transient storage. In the subsequent postCheck() phase, it verifies whether the asset was processed according to the amount tracked in preCheck().

However, since postCheck() treats approval amounts as part of the locked state, failing to account for pre-existing approvals, leading to loss of fund which is to be compensated for the fillers.

Recommendation

Ensure the resource lock hook is installed within the deployment of the Smart (Modular) Account to prevent pre approve() attack.

PreviousLock NextUser

Last updated 8 months ago

hashtagDescription

hashtagRecommendation

Description

Recommendation