# #36268 \[SC-Medium] stake with signature can be front-run lead to user's stake failed **Submitted on Oct 27th 2024 at 05:37:13 UTC by @coffiasd for** [**Audit Comp | Anvil**](https://immunefi.com/audit-competition/audit-comp-anvil) * **Report ID:** #36268 * **Report Type:** Smart Contract * **Report severity:** Medium * **Target:** * **Impacts:** * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) ## Description ## Brief/Intro User stake assets to pool by invoke stake along with signed signature , this action can be front-run lead to user's stake failed ## Vulnerability Details The signature can be used to invoke CollateralVault::modifyCollateralizableTokenAllowanceWithSignature directly to change the allowcance of specifc ERC20 token.Due to the Nonce auto increased , user's transaction will result in failed. ## Impact Details User have to make another transaction , if this ERC20 token's approve state changed, user is unable to stake again. ## References \`\`\`solidity function stake( IERC20 \_token, uint256 \_amount, bytes calldata \_collateralizableApprovalSignature ) external withEligibleAccountTokensReleased(msg.sender, address(\_token)) returns (uint256) { if (\_collateralizableApprovalSignature.length > 0) { collateral.modifyCollateralizableTokenAllowanceWithSignature( msg.sender, address(this), address(\_token), Pricing.safeCastToInt256(\_amount), \_collateralizableApprovalSignature ); } ``` return _stake(_token, _amount); } ``` \`\`\` \`\`\`solidity function modifyCollateralizableTokenAllowanceWithSignature( address \_accountAddress, address \_collateralizableContractAddress, address \_tokenAddress, int256 \_allowanceAdjustment, bytes calldata \_signature ) external { if (\_allowanceAdjustment > 0 && !collateralizableContracts\[\_collateralizableContractAddress]) revert ContractNotApprovedByProtocol(\_collateralizableContractAddress); ``` _modifyCollateralizableTokenAllowanceWithSignature( _accountAddress, _collateralizableContractAddress, _tokenAddress, _allowanceAdjustment, _signature ); //@audit this can be front-run and break the func. } ``` \`\`\` ## Link to Proof of Concept ## Proof of Concept ## Proof of Concept \`\`\`solidity function testUserStakeFromPool() public { uint256 privateKey = 123; address alice = vm.addr(privateKey); MockERC20 token = MockERC20Tokens\[0]; uint256 amount = 1e18; deal(address(token),alice,amount); ``` uint256[] memory amounts = new uint256[](1); address[] memory tokens = new address[](1); amounts[0] = amount; tokens[0] = address(token); //depositAndApprove. vm.startPrank(alice); token.approve(address(colla), amount); colla.depositAndApprove(tokens, amounts, address(pool)); vm.stopPrank(); bytes32 hash = bytes32(0x082cb21d17680735512c9f8fae9ea433c5d7e18b2a4d9a2f0adadbf56761c4d6); (uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, hash); bytes memory signature = abi.encodePacked(r, s, v); colla.modifyCollateralizableTokenAllowanceWithSignature(alice,address(pool),address(token),1e18,signature); vm.prank(alice); pool.stake(IERC20(address(token)),1e18,signature); } ``` \`\`\` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/anvil/36268-sc-medium-stake-with-signature-can-be-front-run-lead-to-users-stake-failed.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.