The setToken function performs an ERC20.approve() call but does not check the success return value.
Some tokens do not revert if the approval failed but return false instead.
Impact
Tokens that don't actually perform the approve and return false are still counted as a correct approve.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handles the return value check as well as non-standard-compliant tokens.
Handle
cmichel
Vulnerability details
Vulnerability Details
The
setToken
function performs anERC20.approve()
call but does not check thesuccess
return value. Some tokens do not revert if the approval failed but returnfalse
instead.Impact
Tokens that don't actually perform the approve and return
false
are still counted as a correct approve.Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20
versions with thesafeApprove
function that handles the return value check as well as non-standard-compliant tokens.