Clarify unsafety of FA1.2's approve
There is a known attack on the approve
method of FA1.2 and its mentioned in its description: https://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-RLM/edit
As a certain mitigation FA1.2 prohibits changing allowance from non-zero to non-zero, but it's still possible to misuse it, so it should be used carefully.
It is not safe to change the allowance from a non-zero value to a non-zero value. This is the reason why performing such a change directly is not allowed by the contract. However this is not enough on its own, a token holder that intends to safely change the allowance for X
to K
token must:
- read the current allowance
M
forX
from the latest transactionS
. - send a transaction
T
that sets the allowance to0
. - wait for the blockchain to confirm that
T
is included. - scan all transactions between
S
andT
. - calculate the allowance
N <= M
spent byX
in those transactions. - set the allowance to
K - N
iffN < K
.
We should make it clearer, I suggest adding it to FA1.2 directly. E. g. like this:
How to safely change the allowance
A token holder that intends to safely change the allowance for X
to K
token must:
- read the current allowance
M
forX
from the latest transactionS
. - send a transaction
T
that sets the allowance to0
. - wait for the blockchain to confirm that
T
is included. - scan all transactions between
S
andT
. - calculate the allowance
N <= M
spent byX
in those transactions. - set the allowance to
K - N
iffN < K
.