Missing Approval Reset Leading to Incomplete ERC-20 Token Management in Uniswap V2 Strategy

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol#L104 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV2.strategy.sol#L134

Vulnerability details

Impact

The impact of the missing approval reset could affect users attempting to swap ZetaToken with other ERC-20 tokens or ETH on the Uniswap V2 platform.

For example, if a user is trying to exchange ZetaToken for another ERC-20 token, and the ZetaToken requires an approval reset (setting allowance to 0) before updating the allowance to the new value, the transaction might fail or result in unexpected behavior. This could lead to users being unable to execute the intended token swap, potentially causing frustration and financial losses for users who are unaware of this specific ERC-20 token behavior.

Proof of Concept

The contract lacks an approval reset to 0 before updating it to a new value when interacting with ERC-20 tokens, potentially exposing users to issues with tokens that require this sequence. Specifically, in functions like getTokenFromZeta, where safeApprove is called a second time without resetting the approval to 0 first, it may lead to unexpected behavior for tokens that mandate approval reset.

Tools Used

Manual

Recommended Mitigation Steps

Ensure that approval is reset to 0 before setting a new value when interacting with ERC-20 tokens.

Assessed type

ERC20

[c4-pre-sort]

DadeKuma marked the issue as duplicate of #535

[c4-pre-sort]

DadeKuma marked the issue as insufficient quality report

[c4-judge]

0xean marked the issue as unsatisfactory: Invalid