JeffCX
commented
8 months ago emm lp token contract is this https://github.com/traderjoe-xyz/moe-core/blob/main/src/dex/MoePair.sol
Closed c4-bot-1 closed 8 months ago
JeffCX
commented
8 months ago emm lp token contract is this https://github.com/traderjoe-xyz/moe-core/blob/main/src/dex/MoePair.sol
c4-judge
commented
8 months ago hansfriese marked the issue as primary issue
c4-sponsor
commented
8 months ago fez-init (sponsor) disputed
hansfriese
commented
8 months ago As we can see here, the lp is not a fee-on-transfer token and all the allowance will be used in _depositToMasterChef().
c4-judge
commented
8 months ago hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/wrapper/WLpMoeMasterChef.sol#L127
Vulnerability details
Impact
Inability to deposit certain lp tokens to
WLpMoeMasterChef.Proof of Concept
The codebase uses Openzeppelin's v4.9.3
SafeERC20, whose functionsafeApprove()reverts if the allowance is non 0 and it is called with a non 0 amount.This would happen all the time with feen on trasfer tokens or possibly in some more specific way if non fee on transfer tokens are used.
Tools Used
Vscode, Foundry
Recommended Mitigation Steps
Use
SafeERC20:forceApprove().Assessed type
ERC20