Open code423n4 opened 2 years ago
Intended behavior - the user can always go around the zapper by approving and calling the router directly - ofc, in one batch transaction.
The Zapper is only there to optimize some "happy paths" by avoiding one approval and doing the same number of transfers
While the usage of the Zapper is consistent with the Sponsor's goal, the finding is valid I'm downgrading to non-critical as it's a feature, not a bug
Handle
cmichel
Vulnerability details
The
Zapper.approve/approveMaxMany
function can only be called by an admin.Impact
Users cannot use the
Zapper
to trade with non-whitelisted (approved) tokens as the Uniswap routers have not been approved to transfer the token from the zapper.Recommended Mitigation Steps
Use a permissionless solution, for example, approving the Uniswap Router with the tokens to trade in each trade call (
exchangeV2
,diversifyV3
, etc.)