search

sherlock-audit / 2022-11-sense-judging

1 stars 0 forks source link

minhquanym - Possible DOS in RollerPeriphery `approve()` function #46

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

minhquanym

medium

Possible DOS in RollerPeriphery approve() function

Summary

https://github.com/sherlock-audit/2022-11-sense/blob/main/contracts/src/RollerPeriphery.sol#L100-L102

Vulnerability Detail

Function approve(...) is public and can be called by anyone, so attacker can simply call this function with amount = 0. This will effectively prevent depositing/minting in vault.

Impact

DOS minting and depositing functionalities in RollerPeriphery

Code Snippet

function approve(ERC20 token, address to, uint256 amount) public payable {
    token.safeApprove(to, amount); // @audit front-run DOS  
}

Tool used

Manual Review

Recommendation

Consider only allowing authorized actors to call approve() function. Or only allowing approve to type(uint).max value.

Duplicate of #48

aktech297 commented 1 year ago

Fix is done such that the approve function can be called by trusted caller. I see changes like importing the Trust from sense-v1 and setting the trusted address during contract creation.

jparklev commented 1 year ago

Fix: https://github.com/sense-finance/auto-roller/pull/15

aktech297 commented 1 year ago

Fixes are confirmed...