token.approve() doesn’t check return value #294
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
sirhashalot
Vulnerability details
Impact
Multiple files within the contracts/basket/contracts/singleJoinExit/ directory call
token.approve()
for an ERC20 token, but these calls do not verify whether theapprove()
call failed. Some ERC20 tokens do not revert if an approval fails, and because the return value is not checked, the contract would not be aware of this failure, potentially causing malfunctions in later operations. Using a function from SafeERC20 that checks the return value would mitigate this edge case.Proof of Concept
token.approve() is found in several locations:
Tools Used
Manual analysis
Recommended Mitigation Steps
While the OpenZeppelin SafeERC20
safeApprove()
function could be used to revert on approve failures unlike the standardapprove()
, thesafeApprove()
function is deprecated and instead OpenZeppelin recommends eithersafeIncreaseAllowance()
orsafeDecreaseAllowance()
. Because uint256(-1) should be an increase, replace each instance oftoken.approve(spender, uint256(-1))
withtoken.safeIncreaseAllowance(spender, uint256(-1))
.The text was updated successfully, but these errors were encountered: