function approveMax uses safeApprove. This function only works if the current approval is 0. Consider clearing previous approval ( safeApprove(0) ) before setting the max value again. The same issue can happen with SwappableYieldSource if, for example, source A is set but later changed to source B (_setYieldSource) and later you want to set source A again. safeApprove should fail as A already has approval. I think it would also make sense to clear approval of the old yield source when _setYieldSource is invoked as this old source becomes inactive so you don't want it to still have the approval to transfer the tokens.
PierrickGT
commented
3 years ago
Handle
pauliax
Vulnerability details
Impact
function approveMax uses safeApprove. This function only works if the current approval is 0. Consider clearing previous approval ( safeApprove(0) ) before setting the max value again. The same issue can happen with SwappableYieldSource if, for example, source A is set but later changed to source B (_setYieldSource) and later you want to set source A again. safeApprove should fail as A already has approval. I think it would also make sense to clear approval of the old yield source when _setYieldSource is invoked as this old source becomes inactive so you don't want it to still have the approval to transfer the tokens.