SingleJoin/SingleExit ignore the return value of ERC20.approve #114
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
duplicate
This issue or pull request already exists
Handle
Ruhum
Vulnerability details
Impact
According to the ERC20 standard, the
approve()
function returns a boolean value indicating whether the call was successful or not, see https://eips.ethereum.org/EIPS/eip-20#methodsThe SingleJoin/SingleExit contracts ignore that return value when approving tokens for the uniswap router. It might lead to a failed transaction because the contract proceeded with the swap although the
approve()
call failed.Proof of Concept
relevant line:
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExit.sol#L44
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExitV2.sol#L55
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleTokenJoin.sol#L43
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/basket/contracts/singleJoinExit/SingleTokenJoinV2.sol#L53
Tools Used
Slither
Recommended Mitigation Steps
Use
SafeERC20.safeApprove()
which reverts when the call fails or returns false.The text was updated successfully, but these errors were encountered: