# EIF Week 3 #### Working on the [Scam transactions Sandbox](https://github.com/therealharpaljadeja/rugproof-sandbox) - Contracts (NFT and Token) are done, ERC20Permit type of token and ERC721 NFTs. ```solidity function permit( address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s ) public virtual override { require(block.timestamp <= deadline, "ERC20Permit: expired deadline"); bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, owner, spender, value, _useNonce(owner), deadline)); bytes32 hash = _hashTypedDataV4(structHash); address signer = ECDSA.recover(hash, v, r, s); require(signer == owner, "ERC20Permit: invalid signature"); _approve(owner, spender, value); } ``` Code can be found [here](https://github.com/therealharpaljadeja/rugproof-sandbox). The `permit` function specfically allows approving using just a signature from the user, this is where the loophole is. Some malicious frontends request the user for this signature and if the wallet doesn't warn the user then the hacker will be able to have allowance to transfer all tokens to itself. #### Went through the [Stelo API docs](https://docs.stelolabs.com/reference/introduction) - Stelo does asset change by looking for event which can be manipulated. Will have to test that on mainnet.  Found out that their extension doesn't work on Testnet's, which I don't expect but still an insight. Came across [buggy ERC20 implementations](https://github.com/sec-bit/awesome-buggy-erc20-tokens). [Alchemy Spam Contracts](https://docs.alchemy.com/reference/getspamcontracts)