Bauer - Revert on Large Approvals & Transfers

[sherlock-admin]

Bauer

medium

Revert on Large Approvals & Transfers

Summary

Some tokens (e.g. UNI, COMP) revert if the value passed to approve or transfer is larger than uint96.

Vulnerability Detail

In the RioLRTOperatorDelegator.stakeERC20() function, if the contract's allowance for the strategy manager is less than the stake amount, the contract forcefully sets the allowance for the strategy manager to the maximum value of uint256 using the forceApprove() function to ensure the stake operation can proceed.

    function stakeERC20(address strategy, address token_, uint256 amount) external onlyDepositPool returns (uint256 shares) {
        if (IERC20(token_).allowance(address(this), address(strategyManager)) < amount) {
            IERC20(token_).forceApprove(address(strategyManager), type(uint256).max);
        }
        shares = strategyManager.depositIntoStrategy(strategy, token_, amount);
    }

However, Some tokens (e.g., UNI, COMP) revert if the value passed to approve or transfer is larger than uint96.

Impact

Revert on large approvals

Code Snippet

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTOperatorDelegator.sol#L176

Tool used

Manual Review

Recommendation

Recommend handling tokens of this type.

[nevillehuang]

Invalid based on sherlock rules

23. Non-Standard tokens: Issues related to tokens with non-standard behaviors, such as weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README.

This tokens was not explicit mentioned in the following question in contest detsils:

Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?

• We plan to support tokens with no less than 6 decimals and no more than 18 decimals.
• Tokens may not return a bool on ERC20 methods (e.g. USDT)
• Tokens may have approval race protections (e.g. USDT)