It seems like the launch of the Geld token by @adamscochran introduced a significant flaw within its _transfer function, which is once again a perfect example why audits are not complementary but mandatory.
The Geld token, incorporates a known pattern where the _transfer function executes specific actions based on certain conditions:
The Geld token, incorporates a known pattern where the _transfer function executes specific actions based on certain conditions:
This pattern includes swapping the token for ETH, with portions of the ETH allocated for auto liquidity, team, and revenue purposes:
The issue arises with the approve call before the swap to the router is executed. This function should authorize a designated router to transfer tokens on behalf of the contract:
However, in this case, it mistakenly authorizes the router to transfer tokens from the msg.sender instead of from the contract itself:
This oversight leads to a revert in the swapping mechanism due to the lack of proper approval and therefore the whole transfer call reverts.
Fortunately, it is possible to just change some parameters such that the condition will not be fulfilled and swapBack is not invoked.
For instance, when selling, the token is being transferred to the pair, governance therefore can simply mark the "to" address (pair) as excluded from the fee, this will therefore not fulfill the condition and not invoke swapBack.
This scenario underscores the importance of proper auditing and the repetitive approval mistakes, whether it is an incorrect allowance check or an incorrect approval granting. Such an issue could have been easily caught with testing. Unfortunately, that was not done.
Link to the article
https://twitter.com/CharlesWangP/status/1777459158695944336
