Unitas Protocol fully relies on USDT stablecoin as an asset. But USDT does not work when changing the allowance from an existing non-zero allowance value.
USDT approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.
Vulnerability Detail
USDT token will revert when updating the allowance. USDT must first be approved by zero and then the actual allowance must be approved. Because Unitas Protocol fully relies on USDT, you can implement approve by zero in the ERC20Token.sol contract.
Impact
The protocol cannot use USDT unless it is first approved by zero.
tsvetanovv
medium
USDT must approve by zero first
Summary
Unitas Protocol fully relies on USDT stablecoin as an asset. But USDT does not work when changing the allowance from an existing non-zero allowance value. USDT
approve()
function will revert if the current approval is not zero, to protect against front-running changes of approvals.Vulnerability Detail
USDT token will revert when updating the allowance. USDT must first be approved by zero and then the actual allowance must be approved. Because Unitas Protocol fully relies on USDT, you can implement approve by zero in the
ERC20Token.sol
contract.Impact
The protocol cannot use USDT unless it is first approved by zero.
Code Snippet
https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/ERC20Token.sol#L215-L234
Tool used
Manual Review
Recommendation
It is recommended to set the allowance to zero before increasing the allowance.