From 203a651eb0c867785fb4786abfb8b9d17deafa65 Mon Sep 17 00:00:00 2001
From: ADVK <advaiyakarnik@gmail.com>
Date: Thu, 20 Apr 2023 11:28:03 +0530
Subject: [PATCH] Allowance check added

---
 src/mixins/ERC4626.sol | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/src/mixins/ERC4626.sol b/src/mixins/ERC4626.sol
index af56c156..aa3d6001 100644
--- a/src/mixins/ERC4626.sol
+++ b/src/mixins/ERC4626.sol
@@ -31,11 +31,7 @@ abstract contract ERC4626 is ERC20 {
 
     ERC20 public immutable asset;
 
-    constructor(
-        ERC20 _asset,
-        string memory _name,
-        string memory _symbol
-    ) ERC20(_name, _symbol, _asset.decimals()) {
+    constructor(ERC20 _asset, string memory _name, string memory _symbol) ERC20(_name, _symbol, _asset.decimals()) {
         asset = _asset;
     }
 
@@ -70,17 +66,16 @@ abstract contract ERC4626 is ERC20 {
         afterDeposit(assets, shares);
     }
 
-    function withdraw(
-        uint256 assets,
-        address receiver,
-        address owner
-    ) public virtual returns (uint256 shares) {
+    function withdraw(uint256 assets, address receiver, address owner) public virtual returns (uint256 shares) {
         shares = previewWithdraw(assets); // No need to check for rounding error, previewWithdraw rounds up.
 
         if (msg.sender != owner) {
             uint256 allowed = allowance[owner][msg.sender]; // Saves gas for limited approvals.
 
-            if (allowed != type(uint256).max) allowance[owner][msg.sender] = allowed - shares;
+            if (allowed != type(uint256).max) {
+                require(assets <= allowance[owner][msg.sender], "amount to be withdraw is more than allowed");
+                allowance[owner][msg.sender] = allowed - shares;
+            }
         }
 
         beforeWithdraw(assets, shares);
@@ -92,11 +87,7 @@ abstract contract ERC4626 is ERC20 {
         asset.safeTransfer(receiver, assets);
     }
 
-    function redeem(
-        uint256 shares,
-        address receiver,
-        address owner
-    ) public virtual returns (uint256 assets) {
+    function redeem(uint256 shares, address receiver, address owner) public virtual returns (uint256 assets) {
         if (msg.sender != owner) {
             uint256 allowed = allowance[owner][msg.sender]; // Saves gas for limited approvals.