Closed sherlock-admin closed 1 year ago
A few things that I think are important to consider that Vaults are launched at the teams discretion and will therefore be tested and validated for functionality prior. This is unlike permissionless AMMs (e,g, Sushiswap, Curve, Uniswap, etc) where users can deploy liquidity pools at will.
I agree that this could be an issue for some tokens however I don't think this warrants a "Medium" severity given that the team has discretion on which tokens are supported.
berndartmueller
medium
Certain ERC-20 tokens will break auction processing
Summary
Some ERC-20 tokens require first setting the token allowance to
0
before setting it to a non-zero value. This is not the case in theVaultAdmin.processAuction
function, therefore, if one of those affected tokens is used, auctions processing will fail.Vulnerability Detail
During the auction processing, the
VaultAdmin.processAuction
function will callERC20.approve
to approve the Premia pool to spend funds. However, some ERC-20 tokens, like USDT (see line 199) or KNC (see line 154), require first reducing the address allowance to 0 and then approve the actual allowance. Otherwise, the approve function will revert and the auction processing will fail.Currently, Premia does not use any of these affected tokens. However, if Premia decides to add one of these tokens in the future, the auction processing will fail and the
VaultAdmin
facet has to be upgraded.It seems Premia does not necessarily spend the total allowance - see https://github.com/Premian-Labs/premia-contracts/blob/master/contracts/pool/PoolInternal.sol#L1341. Therefore it's possible to have a leftover allowance.
Impact
Auctions can not be processed.
Code Snippet
vault/VaultAdmin.sol#L300-L303
Tool Used
Manual review
Recommendation
Consider using
ERC20.approve(address(Pool), 0)
before to ensure that the allowance is set to 0 before setting the actual amount.