search

code-423n4 / 2023-01-astaria-findings

5 stars 2 forks source link

ERC20 approve fail for some tokens #538

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-astaria/blob/main/src/ClearingHouse.sol#L148

Vulnerability details

Impact

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.

Proof of Concept

ClearingHouse.sol
148: ERC20(paymentToken).safeApprove(
149:      address(ASTARIA_ROUTER.TRANSFER_PROXY()),
150:      payment - liquidatorPayment
151:    );

Tools Used

Manual Review

Recommended Mitigation Steps

Use approve(0) to set the allowance to zero immediately before existing approve() calls.

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #437

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory

c4-judge commented 1 year ago

Picodes marked the issue as partial-25

Picodes commented 1 year ago

Partial credit due to the absence of PoC