ERC20: [ERC20: USDC, DAI, USDT, own DerbyToken and own VaultToken]
Some ERC20 tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. For example Tether (USDT)'s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.
Vulnerability Detail
Some tokens will revert when updating allowance. They must first be approved by zero and then the actual allowance must be approved.
tsvetanovv
medium
Must approve by zero first
Summary
The protocol currently uses these tokens:
Some ERC20 tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. For example Tether (USDT)'s
approve()
function will revert if the current approval is not zero, to protect against front-running changes of approvals.Vulnerability Detail
Some tokens will revert when updating allowance. They must first be approved by zero and then the actual allowance must be approved.
Impact
The protocol will impossible to use USDT.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/XProvider.sol#L150
Tool used
Manual Review
Recommendation
It is recommended to set the allowance to zero before increasing the allowance.
Change this:
To this:
Duplicate of #36