Open code423n4 opened 3 years ago
The issue is correct in pointing out that the wrong approve amount is used, however disagree with the severity.
It is common practice to approve the maximum amount of tokens for a contract to spend already. This bug simply allows more tokens to be approved (to a trusted contract in the system), than was intended. This is only exploitable if paired with another bug in the Tracer contracts. As is, no users would be affected.
Marking this as low-risk as it would only pose a security threat coupled with another bug.
Handle
cmichel
Vulnerability details
The pool holdings of
Insurance
(publicCollateralAmount
andbufferCollateralAmount
) is in WAD (18 decimals) but it's used as a raw token value indrainPool
Impact
If
tracerMarginToken
has less than 18 decimals, the approval approves orders of magnitude more tokens than required for thedeposit
call that follows. IftracerMarginToken
has more than 18 decimals, thedeposit
that follows would fail as fewer tokens were approved, but the protocol seems to disallow tokens in general with more than 18 decimals.Recommended Mitigation Steps
Convert the
amount
to a "raw token value" and approve this one instead.