0xleastwood
commented
2 years ago Should be non-critical imo. No reason to expect tokens to be accidentally sent to this contract.
Open code423n4 opened 2 years ago
0xleastwood
commented
2 years ago Should be non-critical imo. No reason to expect tokens to be accidentally sent to this contract.
Handle
pauliax
Vulnerability details
Impact
_maxApprove is called with spender address that comes from user input. While these contracts do not expect to hold any funds, an approved actor could later use the approval to rescue accidentally sent tokens or airdrops.
Recommended Mitigation Steps
Consider approving only the necessary amount or resetting the approval afterward, or even introducing a whitelist of trusted addresses.