search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

USE SAFEERC20.SAFEAPPROVE IN approveUnderlying() #59

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

defsec

Vulnerability details

Impact

This is probably an oversight since SafeERC20 was imported and safeTransfer() was used for ERC20 token transfers. Nevertheless, note that approve() will fail for certain token implementations that do not return a boolean value (). Hence it is recommend to use safeApprove().

Proof of Concept

  1. Navigate to "https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Basket.sol".
  2. Preview approveUnderlying function on the contract.
  3. approve function has been used instead of SafeApprove.

Tools Used

Manual Code Review

Recommended Mitigation Steps

Update to _token.safeApprove(spender, type(uint256).max) in approveUnderlying().

frank-beard commented 3 years ago

https://github.com/code-423n4/2021-09-defiprotocol-findings/issues/260

GalloDaSballo commented 2 years ago

Duplicate of #114