search

sherlock-audit / 2024-08-winnables-raffles-judging

6 stars 2 forks source link

Spare Opaque Cottonmouth - Not handled return value of `approve()` #616

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

Spare Opaque Cottonmouth

Low/Info

Not handled return value of approve()

Summary

Not handled return value of approve() in WinnablesPrizeManager.sol and WinnablesTicketManager.sol

Vulnerability Detail

WinnablesPrizeManager and WinnablesTicketManager contracts have constructors and both of them take a param address _linkToken which is then passed to the BaseLinkConsumer contract's constructor and its address internal immutable LINK_TOKEN = _linkToken. Inside the constructors an approve with type(uint256).max for the _ccipRouter is made:

LinkTokenInterface(LINK_TOKEN).approve(_ccipRouter, type(uint256).max);

If we dive into the LinkTokenInterface interface we see:

function approve(address spender, uint256 value) external returns (bool success);

The approve function returns a boolean value whether the operation was successful. However, it is not handled in the constructors.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesPrizeManager.sol#L54 https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesTicketManager.sol#L64

Tool used

Manual Review

Recommendation

The return bool success should be handled

sherlock-admin2 commented 2 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/Winnables/public-contracts/pull/9