code-423n4 / 2021-08-notional-findings

3 stars 0 forks source link

`TokenHandler.setToken` ERC20 missing return value check #77

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

Vulnerability Details

The setToken function performs an ERC20.approve() call but does not check the success return value. Some tokens do not revert if the approval failed but return false instead.

Impact

Tokens that don't actually perform the approve and return false are still counted as a correct approve.

Recommended Mitigation Steps

We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handles the return value check as well as non-standard-compliant tokens.