hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

Splitting will not work for USDT #4

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x8dceead68da9914030ccc9ebfd5affcebeb129d43c992c67f8f5b3458edf98db Severity: medium

Description: Description:

In the Router contract, the _splitPosition() function uses the IERC20 interface's approve() function to approve an amount of collateralToken() for the conditionalTokens address. This can cause the functionality to not work with certain widely used tokens.

Attack Scenario:

For non-standard tokens such as USDT, calling approve will revert because the ERC20 enforces the underlying token to return a boolean, while a token such as USDT does not.

Mitigation:

This can be mitigated by omitting the return value for markets using tether as collateral.

clesaege commented 1 month ago

As per contest rules, are excluded: - Issues about the collateral token being non standard or malicious. We assume sDAI will be used.

rotcivegaf commented 1 month ago

https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/issues/16#issuecomment-2374745654 Same argument here

clesaege commented 1 month ago

The arguments are very different #16 is about the Seer contracts not following the standard while #4 is about USDT not following the standard. This should be reported to Tether, not here.

rotcivegaf commented 1 month ago

USDT it's only an example Please read the description and don't focus in the example

As per contest rules, are excluded: - Issues about the collateral token being non standard or malicious. We assume sDAI will be used.

You invalidated this issue for the same reason that you invalidated #16 and then validated it

The report was not the most complex but time is pressing in hats, if I develop a long report they steal the issue from me

clesaege commented 1 month ago

The report was not the most complex but time is pressing in hats, if I develop a long report they steal the issue from me

To get rewards, you need to provide accurate reports. Managing time is a strategy you can choose as a hunter. If you submit stuff too fast, you risk missing the issue. If you submit stuff too slow, someone may have reported it before. Here you decided on the speed and it didn't pay off.

rotcivegaf commented 1 month ago

I don't understand what else you want for an "accurate" report, could you tell me? This bug is one of the most common and has been written a million times

clesaege commented 1 month ago

Even without the exclusion, this wouldn't be a valid issue. The return value of approve is not checked.