search

code-423n4 / 2022-05-alchemix-findings

5 stars 2 forks source link

AutoleverageBase: Must approve 0 first #144

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AutoleverageBase.sol#L61-L63

Vulnerability details

Impact

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.They must first be approved by zero and then the actual allowance must be approved.

Proof of Concept

https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AutoleverageBase.sol#L61-L63 https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AutoleverageBase.sol#L147-L147 https://github.com/code-423n4/2022-05-alchemix/blob/71abbe683dfd5c0686b7e594fb4f78a14b668d8b/contracts-full/AutoleverageBase.sol#L178-L179

Tools Used

None

Recommended Mitigation Steps

    function approve(address token, address spender) internal {
    +  IERC20(token).approve(spender, 0);
        IERC20(token).approve(spender, type(uint256).max);
    }
0xtao commented 2 years ago

Sponsor confirmed

This implementation will not work for tokens like USDT where the approval is not set to 0 initially

0xleastwood commented 2 years ago

It seems like approve() will fail to execute on non-standard tokens which require the approval amount to start from zero. This is valid and should be updated to handle such tokens.