search

sherlock-audit / 2023-12-arcadia-judging

18 stars 15 forks source link

zzykxx - Approval in StakedStargateAM::_stake() doesn't use safeApprove #175

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

zzykxx

medium

Approval in StakedStargateAM::_stake() doesn't use safeApprove

Summary

Vulnerability Detail

The function StakedStargateAM::_stake() approves LP_STAKING_TIME to transfer an amount of asset (LP tokens) from the StakedStargateAM contract itself.

The README claims that safe functions from solmate are used to deal with non-compliant ERC20 tokens but this is not true in this case.

Impact

StakedStargateAM might be incompatible with non-compliant ERC20 tokens.

Code Snippet

Tool used

Manual Review

Recommendation

In StakedStargateAM::_stake() use solmate safeApprove to approve LP_STAKING_TIME to transfer tokens from StakedStargateAM.

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 7 months ago

Invalid, I believe based on currently supported tokens, standard approve() function is sufficient.

COMP, DAI, USDT, USDC, USDbC, rETH, wstETH, cbETH, wETH, SGT