Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/FlashLoan.sol#L48-L58
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.They must first be approved by zero and then the actual allowance must be approved.
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/FlashLoan.sol#L48-L58 https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L418
None
Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.
Duplicate of #39
0xdramaone
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/FlashLoan.sol#L48-L58
Vulnerability details
Impact
Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.They must first be approved by zero and then the actual allowance must be approved.
Proof of Concept
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/FlashLoan.sol#L48-L58 https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L418
Tools Used
None
Recommended Mitigation Steps
Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.