If a user didn't utilized the whole amount on the first call, the flashFocusCall can fail for second and subsequent runs when params.asset is a token that use approval race protection.
Placing severity to medium as flashFocusCall reverts in this case, and the flash loan functionality becomes unavailable for the user.
Proof of Concept
flashFocusCall approves flashLoan for a positive owedBack amount:
Lines of code
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L418
Vulnerability details
Impact
If a user didn't utilized the whole amount on the first call, the flashFocusCall can fail for second and subsequent runs when params.asset is a token that use approval race protection.
Placing severity to medium as flashFocusCall reverts in this case, and the flash loan functionality becomes unavailable for the user.
Proof of Concept
flashFocusCall approves flashLoan for a positive owedBack amount:
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/vault_and_oracles/UniV3LpVault.sol#L418
params.asset can be arbitrary ERC20 token, while some tokens do not allow an approval of a positive value if allowance is positive already:
https://github.com/d-xo/weird-erc20#approval-race-protections
Recommended Mitigation Steps
Consider adding zero amount approval before actual amount approval, i.e. guarantee that the allowance is zero.