The returned value of an approve() call is not validated.
Vulnerability Detail
During vault initialization, it will attempt to perform tokenAddress.approve to allow Notional to pull the lend underlying currency at Line 100. However, it does not check the success return value. Some tokens do not revert if the approval failed but return false instead.
Tokens that don't actually perform the approve and return false might be counted as a correct approve. Thus, the function might proceed with the execution and assume that there is sufficient allowance to work with. This might result in a revert at the later stage of the execution when the code notice that there is insufficient allowance during transfer causing features within the vault to stop working.
xiaoming90
medium
Approve Returned Value Not Validated
Summary
The returned value of an
approve()
call is not validated.Vulnerability Detail
During vault initialization, it will attempt to perform
tokenAddress.approve
to allow Notional to pull the lend underlying currency at Line 100. However, it does not check thesuccess
return value. Some tokens do not revert if the approval failed but return false instead.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/CrossCurrencyfCashVault.sol#L79
Impact
Tokens that don't actually perform the approve and return
false
might be counted as a correct approve. Thus, the function might proceed with the execution and assume that there is sufficient allowance to work with. This might result in a revert at the later stage of the execution when the code notice that there is insufficient allowance during transfer causing features within the vault to stop working.Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/CrossCurrencyfCashVault.sol#L79
Tool used
Manual Review
Recommendation
Check the return value of ERC20 approve operation to validate that they were successfully completed.