search

code-423n4 / 2022-05-velodrome-findings

0 stars 0 forks source link

Must approve 0 first #178

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Pair.sol#L459-L464 https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Voter.sol#L198

Vulnerability details

Impact

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value.They must first be approved by zero and then the actual allowance must be approved.

Proof of Concept

https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Pair.sol#L459-L464 https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Voter.sol#L198

Tools Used

Manual Review

Recommended Mitigation Steps

Use approve(_spender, 0) to set the allowance to zero immediately before each of the existing approve() calls.

GalloDaSballo commented 2 years ago

Given the linked code, (setting from 0 to max) and setting allowance, I must disagree with this finding that lacks nuance.

In lack of a POC, I believe the code will never revert, even when using USDT as the contract is approving only once