search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

ERC20 return values not checked #221

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

The ERC20.approve() function returns a boolean value indicating success. This parameter needs to be checked for success.

The Basket.approveUnderlying function does not check the return value of the IERC20(tokens[i]).approve call. Neither does it work with tokens that don't return a boolean.

Impact

Tokens that don't actually grant the allowance and return false won't work. Also, tokens that don't correctly implement the latest EIP20 spec will not work as they revert the transaction because of the missing return value.

Recommended Mitigation Steps

We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handles the return value check as well as non-standard-compliant tokens.

frank-beard commented 2 years ago

duplicate of #260

GalloDaSballo commented 2 years ago

Duplicate of #35