Lend() doesn't call approve before safeTransferFrom is used.
Summary
SafeTransferFrom and transferFrom methods need allowance from owner of erc20 tokens to be used.
Vulnerability Detail
Both SafeTransferFrom and transferFrom functions in the ERC-20 standard require the sender to have an allowance for the ERC-20 tokens they are attempting to transfer.
The safeTransferFrom and transferFrom functions moves amount tokens from sender to recipient using the allowance mechanism. amount is then deducted from the caller’s allowance.
PRAISE
medium
Lend() doesn't call approve before safeTransferFrom is used.
Summary
SafeTransferFrom and transferFrom methods need allowance from owner of erc20 tokens to be used.
Vulnerability Detail
Both SafeTransferFrom and transferFrom functions in the ERC-20 standard require the sender to have an allowance for the ERC-20 tokens they are attempting to transfer.
The safeTransferFrom and transferFrom functions moves amount tokens from sender to recipient using the allowance mechanism. amount is then deducted from the caller’s allowance.
OZ docs-- https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#IERC20-transferFrom-address-address-uint256-
Impact
Without an allowance, the transfer will fail, and the transaction would be reverted.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L616
this too https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L869
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/IchiSpell.sol#L302
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/IchiSpell.sol#L315
Tool used
Manual Review
Recommendation
Call approve before the safeTransferFrom method attempts to transfer funds.