Severity: Informational
Description
The transferFrom function used by DToken, mimicking the token implementation of Dai, has a special case in the allowance check such that if a user's allowance is set to 2^256-1 (the max unsigned integer), the allowance is considered to be infinite and never decreases unless modified explicitly by the allower. Though this behavior does not introduce security concerns we are aware of, it diverges from the expected ERC20 behavior and it should be documented explicitly so that users are aware of it and do not accidentally trigger this behavior.
Recommendation
Short term, consider whether this feature is necessary to include. If so outline the infinite allowance behavior in user documentation and the project README.
Long term, always document any deviations from a specification to help facilitate compatibility.
Severity: Informational
Description
The
transferFromfunction used by DToken, mimicking the token implementation of Dai, has a special case in the allowance check such that if a user's allowance is set to2^256-1(the max unsigned integer), the allowance is considered to be infinite and never decreases unless modified explicitly by the allower. Though this behavior does not introduce security concerns we are aware of, it diverges from the expected ERC20 behavior and it should be documented explicitly so that users are aware of it and do not accidentally trigger this behavior.Recommendation
Short term, consider whether this feature is necessary to include. If so outline the infinite allowance behavior in user documentation and the project README.
Long term, always document any deviations from a specification to help facilitate compatibility.