Open hats-bug-reporter[bot] opened 6 months ago
Thank you for the submission.
The submission mentions two problems:
approve
methods approve
callThis problem is not valid for the following reasons:
OOS
, since this problem is not caused by our changes or new functionality, but comes from inherited code
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x9bd287e463c89f4cf5101114448efd774a5094cf6058f2cf9db82af7ced2dfbb Severity: medium
Description: Vulnerability Detail
The ERC20.approve() function return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead.
Per EIP20, approve() function should be as below,
It means, for ERC20 approvals the return value must be checked to be incompliance with EIP20 tokens.
The issue here is that tokens like USDT don't correctly implement the EIP20 standard and their approve() function return void instead of a success boolean. This can be checked from below USDT approve() function.
It is confirmed that, USDT token approval does not check return value for approvals and this is violating the EIP20. Therefore, calling USDT approve function with the correct EIP20 function signatures will always revert.
Tokens that don't actually perform the approval and return false are still counted as a correct approval and tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Therefore, In the protocol, all functions using approve() must be check the return value.
Recommendation
Use safeApprove OR forceApprove() from openZeppelin’s SafeERC20. This checks the return value and makes it compliant with EIP20.