clesaege
commented
1 month ago As per contest rules, are excluded: - Issues about the collateral token being non standard or malicious. We assume sDAI will be used.
Open hats-bug-reporter[bot] opened 1 month ago
clesaege
commented
1 month ago As per contest rules, are excluded: - Issues about the collateral token being non standard or malicious. We assume sDAI will be used.
rotcivegaf
commented
1 month ago clesaege
commented
1 month ago The arguments are very different #16 is about the Seer contracts not following the standard while #4 is about USDT not following the standard. This should be reported to Tether, not here.
rotcivegaf
commented
1 month ago USDT it's only an example Please read the description and don't focus in the example
As per contest rules, are excluded: - Issues about the collateral token being non standard or malicious. We assume sDAI will be used.
You invalidated this issue for the same reason that you invalidated #16 and then validated it
The report was not the most complex but time is pressing in hats, if I develop a long report they steal the issue from me
clesaege
commented
1 month ago The report was not the most complex but time is pressing in hats, if I develop a long report they steal the issue from me
To get rewards, you need to provide accurate reports. Managing time is a strategy you can choose as a hunter. If you submit stuff too fast, you risk missing the issue. If you submit stuff too slow, someone may have reported it before. Here you decided on the speed and it didn't pay off.
rotcivegaf
commented
1 month ago I don't understand what else you want for an "accurate" report, could you tell me? This bug is one of the most common and has been written a million times
clesaege
commented
1 month ago Even without the exclusion, this wouldn't be a valid issue. The return value of approve is not checked.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x8dceead68da9914030ccc9ebfd5affcebeb129d43c992c67f8f5b3458edf98db Severity: medium
Description: Description:
In the Router contract, the
_splitPosition()function uses the IERC20 interface'sapprove()function to approve an amount ofcollateralToken()for theconditionalTokensaddress. This can cause the functionality to not work with certain widely used tokens.Attack Scenario:
For non-standard tokens such as USDT, calling approve will revert because the ERC20 enforces the underlying token to return a boolean, while a token such as USDT does not.
Mitigation:
This can be mitigated by omitting the return value for markets using tether as collateral.