search

sherlock-audit / 2023-06-bond-judging

3 stars 3 forks source link

tsvetanovv - The user can't recive rewards if token is USDT #96

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

tsvetanovv

medium

The user can't recive rewards if token is USDT

Summary

The protocol currently these any tokens:

Which ERC20 tokens do you expect will interact with the smart contracts?

  • Any

Some tokens will revert when updating the allowance. They must first be approved by zero and then the actual allowance must be approved.

Vulnerability Detail

Тhe problem occurs in _claimEpochRewards():

504: payoutToken.approve(address(optionTeller), rewards);

Some ERC20 tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. For example Tether (USDT)'s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.

Impact

The protocol will impossible to use USDT token.

Code Snippet

https://github.com/sherlock-audit/2023-06-bond/blob/main/options/src/fixed-strike/liquidity-mining/OTLM.sol#L504

Tool used

Manual Review

Recommendation

It is recommended to set the allowance to zero before increasing the allowance.

Duplicate of #86