sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

tsvetanovv - USDT must approve by zero first #94

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

tsvetanovv

medium

USDT must approve by zero first

Summary

Unitas Protocol fully relies on USDT stablecoin as an asset. But USDT does not work when changing the allowance from an existing non-zero allowance value. USDT  approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.

Vulnerability Detail

USDT token will revert when updating the allowance. USDT must first be approved by zero and then the actual allowance must be approved. Because Unitas Protocol fully relies on USDT, you can implement approve by zero in the ERC20Token.sol contract.

Impact

The protocol cannot use USDT unless it is first approved by zero.

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/ERC20Token.sol#L215-L234

Tool used

Manual Review

Recommendation

It is recommended to set the allowance to zero before increasing the allowance.