Open sherlock-admin4 opened 5 months ago
Yeah, this might happen. We should add it. What are your thoughts on using forceApprove instead from OZ, I think pending allowances would not make a revert and it would be cleaner. Though in some places you might want to just change it to 0 after.
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid; medium(4)
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/pull/181.
bin2chen
medium
Balancer using safeApprove may lead to revert.
Summary
When executing
Balancer._routerSwap()
, theoz
safeApprove
function is used to set an allowance. Due to the presence of theconvertRate
in therouter
,Balancer._routerSwap()
rounds down the incoming quantity. This behavior may result in the allowance not being fully use, causing a subsequent execution ofoz.safeApprove()
to revert.Vulnerability Detail
The code snippet for
Balancer._routerSwap()
is as follows:In the above code,
SafeERC20.safeApprove()
from theoz
library is used, but the allowance is not cleared afterward. Consequently, if the current allowance is not fully use during this transaction, a subsequent execution ofSafeERC20.safeApprove()
will revert.Is it guaranteed that
router.swap()
will fully use the allowance? Not necessarily. Due to the presence ofconvertRate
in the implementation code, therouter
rounds down the amount, potentially leaving a remainder in the allowance. DAI pool convertRate = 1e12 DAI pool: https://etherscan.io/address/0x0Faf1d2d3CED330824de3B8200fc8dc6E397850d#readContractrouter codes: https://etherscan.io/address/0x8731d54E9D02c286767d56ac03e8037C07e01e98#code
Impact
Unused allowance may lead to failure in subsequent
_routerSwap()
executions.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/Balancer.sol#L308
Tool used
Manual Review
Recommendation