Some tokens don't allow to set a non-zero approval from a non-zero approval #173
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
duplicate
This issue or pull request already exists
Handle
GiveMeTestEther
Vulnerability details
Impact
Some tokens need to first set the the approve amount to 0 to set it to a non-zero amount (USDT: https://etherscan.io/address/0xdac17f958d2ee523a2206206994597c13d831ec7#code). This makes the _maxApprove() and the approve.selector calls incompatible to such tokens.
Proof of Concept
approve.selector:
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManagerV3.sol#L75
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManagerV2.sol#L70
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManager.sol#L131
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManager.sol#L84
.approve():
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExit.sol#L39
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleNativeTokenExitV2.sol#L50
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleTokenJoin.sol#L38
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleTokenJoinV2.sol#L48
Tools Used
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: