From 7fc9bc26dc0353ecff80af99411a7c8120818ccf Mon Sep 17 00:00:00 2001
From: Adam Gall <galladamj@gmail.com>
Date: Mon, 20 Oct 2025 00:06:39 -0400
Subject: [PATCH] Fix: Missing zero address validation in permit()

The permit() function was missing zero address validation for the spender
parameter, allowing gasless approvals to the zero address which violates the
ERC-20 standard and EIP-2612 best practices.

This fix adds spender validation at the beginning of permit(), ensuring
consistency with the approve() function and preventing invalid permits.
---
 src/ERC20/ERC20/ERC20Facet.sol | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/ERC20/ERC20/ERC20Facet.sol b/src/ERC20/ERC20/ERC20Facet.sol
index 366eea28..8ad4d42d 100644
--- a/src/ERC20/ERC20/ERC20Facet.sol
+++ b/src/ERC20/ERC20/ERC20Facet.sol
@@ -291,6 +291,9 @@ contract ERC20Facet {
         bytes32 _r,
         bytes32 _s
     ) external {
+        if (_spender == address(0)) {
+            revert ERC20InvalidSpender(address(0));
+        }
         if (block.timestamp > _deadline) {
             revert ERC2612InvalidSignature(_owner, _spender, _value, _deadline, _v, _r, _s);
         }