Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.
They must first be approved by zero and then the actual allowance must be approved.
approve without approving 0 first CvxCrvRewardsLocker.sol, 52, IERC20(CRV).safeApprove(CRV_DEPOSITOR, type(uint256).max);
approve without approving 0 first Swapper3Crv.sol, 43, IERC20(USDC).safeApprove(SUSHISWAP, type(uint256).max);
approve without approving 0 first Swapper3Crv.sol, 46, IERC20(DAI).safeApprove(UNISWAP, type(uint256).max);
approve without approving 0 first BkdTriHopCvx.sol, 70, IERC20(underlying_).safeApprove(curveHopPool_, type(uint256).max);
approve without approving 0 first CvxCrvRewardsLocker.sol, 58, IERC20(CRV).safeApprove(CVX_CRV_CRV_CURVE_POOL, type(uint256).max);
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/CvxCrvRewardsLocker.sol#L53
Vulnerability details
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.