Function approve(...) is public and can be called by anyone, so attacker can simply call this function with amount = 0. This will effectively prevent depositing/minting in vault.
Impact
DOS minting and depositing functionalities in RollerPeriphery
Code Snippet
function approve(ERC20 token, address to, uint256 amount) public payable {
token.safeApprove(to, amount); // @audit front-run DOS
}
Tool used
Manual Review
Recommendation
Consider only allowing authorized actors to call approve() function.
Or only allowing approve to type(uint).max value.
Fix is done such that the approve function can be called by trusted caller.
I see changes like importing the Trust from sense-v1 and setting the trusted address during contract creation.
minhquanym
medium
Possible DOS in RollerPeriphery
approve()
functionSummary
https://github.com/sherlock-audit/2022-11-sense/blob/main/contracts/src/RollerPeriphery.sol#L100-L102
Vulnerability Detail
Function
approve(...)
is public and can be called by anyone, so attacker can simply call this function withamount = 0
. This will effectively prevent depositing/minting in vault.Impact
DOS minting and depositing functionalities in RollerPeriphery
Code Snippet
Tool used
Manual Review
Recommendation
Consider only allowing authorized actors to call
approve()
function. Or only allowing approve totype(uint).max
value.Duplicate of #48