Protocol is incompatible with USDT due to lack of 0 approval

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x9e61c4421fb3e913fe5cebfb03fcf42e1fe9bf8890c7e99fa8bc1d317fc51aee Severity: medium

Description: Description

USDT token do not work when changing the allowance from an existing non-zero allowance value. For example Tether (USDT)’s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals. Link to usdt contract reference(SLOC 199-209)

In the protocol, all functions using approve() must be first approved by zero.

In BfxVault.sol, makeDeposit() is called to deposit the tokens i.e payment token which can be USDT token and it requires to make ERC20 approvals.

    function makeDeposit(uint256 amount) external {
        require(signers[msg.sender][TREASURER_ROLE], "NOT_A_TREASURER");
        _doDeposit(amount);
    }

    function _doDeposit(uint256 amount) internal {
        paymentToken.approve(address(bfx), amount);
        bfx.deposit(amount);
    }

But _doDeposit() does not approve 0 first in case of USDT as paymentToken.

Tokens like USDT will not be possible to approve or use in Protocol functions.

I have identified this issue as Medium severity with below contest rules for Medium severity.

Attacks that make essential functionality of the contracts temporarily unusable or inaccessible.

Issue location

https://github.com/BlastFutures/Blast-Futures-Exchange/blob/e05c71bff53dcd9172bc714d0f9ddb2f403e23e1/foundry/src/BfxVault.sol#L230

Recommendation

Approve 0 first in case of USDT tokens or Alternatively use forceApprove() from openZeppelin’s SafeERC20.

[PlamenTSV]

All of the approve actions are followed by transfers of exactly the same amount. This means that once an approval of X is granted, it will be immediately send, thus resetting the approval back to 0.