`Zapper` only works for whitelisted tokens

[code423n4]

Handle

cmichel

Vulnerability details

The Zapper.approve/approveMaxMany function can only be called by an admin.

Impact

Users cannot use the Zapper to trade with non-whitelisted (approved) tokens as the Uniswap routers have not been approved to transfer the token from the zapper.

Recommended Mitigation Steps

Use a permissionless solution, for example, approving the Uniswap Router with the tokens to trade in each trade call (exchangeV2, diversifyV3, etc.)

[Ivshti]

Intended behavior - the user can always go around the zapper by approving and calling the router directly - ofc, in one batch transaction.

The Zapper is only there to optimize some "happy paths" by avoiding one approval and doing the same number of transfers

[GalloDaSballo]

While the usage of the Zapper is consistent with the Sponsor's goal, the finding is valid I'm downgrading to non-critical as it's a feature, not a bug