Closed c4-bot-1 closed 8 months ago
emm lp token contract is this https://github.com/traderjoe-xyz/moe-core/blob/main/src/dex/MoePair.sol
hansfriese marked the issue as primary issue
fez-init (sponsor) disputed
As we can see here, the lp
is not a fee-on-transfer token and all the allowance will be used in _depositToMasterChef().
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/wrapper/WLpMoeMasterChef.sol#L127
Vulnerability details
Impact
Inability to deposit certain lp tokens to
WLpMoeMasterChef
.Proof of Concept
The codebase uses Openzeppelin's v4.9.3
SafeERC20
, whose functionsafeApprove()
reverts if the allowance is non 0 and it is called with a non 0 amount.This would happen all the time with feen on trasfer tokens or possibly in some more specific way if non fee on transfer tokens are used.
Tools Used
Vscode, Foundry
Recommended Mitigation Steps
Use
SafeERC20:forceApprove()
.Assessed type
ERC20