Closed c4-bot-1 closed 5 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) confirmed
othernet-global (sponsor) disputed
This issue was uncovered in the Bot Report:
https://github.com/code-423n4/2024-01-salty/blob/main/bot-report.md#l-02
Picodes marked the issue as unsatisfactory: Out of scope
Flagging as out of scope following the bot-race.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L96-L97
Vulnerability details
Impact
Due to this vulnerability, users won't be able to deposit liquidity in pools with ERC-20 tokens that use approval race protection like
USDT
.Proof of Concept
A user can deposit liquidity in a pool by calling Liquidity.sol depositLiquidityAndIncreaseShare() which then calls the internal function _depositLiquidityAndIncreaseShare().
In
_depositLiquidityAndIncreaseShare()
(only steps relevant to the bug are explained):Pools
contract so that they can be used by the pool for deposit.We can see that the whole approved amount for either token might not be used by the
Pools
contract.Given the scenario above, if the liquidity pool has a token with approval race protection like USDT, the deposits to the pool will revert if some amount is already approved to the
Pools
contract.https://github.com/d-xo/weird-erc20#approval-race-protections
POC:
depositLiquidityAndIncreaseShare()
withmaxAmountA=1000
andmaxAmountB=1000
tokenA=1000
andUSDT=500
are depositedPools
contract i.e tokenA.approve(pools,1000) and USDT.approve(pools,1000)Pools
after the transfer abovedepositLiquidityAndIncreaseShare()
withmaxAmountA=1000
andmaxAmountB=1000
Tools Used
Manual review
Recommended Mitigation Steps
The
_depositLiquidityAndIncreaseShare()
function checks after the deposit for unused tokens of the user to send them back. We can add approve(0) for the token to mitigate this issuehttps://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Liquidity.sol#L109-L114
Current
After mitigation
Assessed type
ERC20