The enableToken function performs an ERC20.approve() call but does not check the success return value.
Some tokens do not revert if the approval failed but return false instead.
Impact
Tokens that don't actually perform the approve and return false are still counted as a correct approve.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handles the return value check as well as non-standard-compliant tokens.
Handle
cmichel
Vulnerability details
Vulnerability Details
The
enableTokenfunction performs anERC20.approve()call but does not check thesuccessreturn value. Some tokens do not revert if the approval failed but returnfalseinstead.Impact
Tokens that don't actually perform the approve and return
falseare still counted as a correct approve.Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20versions with thesafeApprovefunction that handles the return value check as well as non-standard-compliant tokens.