-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BaseBranchRouter._transferAndApproveToken may revert in some cases #520
Comments
0xA5DF marked the issue as duplicate of #896 |
0xA5DF marked the issue as low quality report |
alcueca marked the issue as unsatisfactory: |
USDT reverts because it needs to approve to zero first, which is also in the bot report: |
The issue described in this report is not about approving to zero first, but the difference between |
alcueca marked the issue as not a duplicate |
alcueca marked the issue as satisfactory |
Very good PoC and explanation. Apologies for getting the report confused with #896 |
Note that while this deviation from the standard only happens on the mainnet variant of USDT, and not on the Arbitrum one, it is likely that the protocol would be extended with branches to mainnet. Non-adherence to the ERC20 standard in the case of mainnet USDT can't be considered a poisoned token, and therefore the Medium severity is sustained. |
Addressed at Maia-DAO/2023-09-maia-remediations@cbdd6e2 |
0xBugsy (sponsor) confirmed |
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/main/src/BaseBranchRouter.sol#L175
Vulnerability details
Impact
In bot-report.md, [M-04] Return values of
approve()
not checked. It describles that "By not checking the return value, operations that should have marked as failed, may potentially go through without actually approving anything". But this report is different from [M-04].If the token's
approve
does not return a value, like USDT, thenERC20(_token).approve
will revert. Because ERC20 comes from solmate/tokens/ERC20.sol, itsapprove
is defined asfunction approve(address spender, uint256 amount) public virtual returns (bool)
where the return value is bool type with a size of 1 byte. The bytecode compiled by the solidity compiler fromERC20(_token).approve
will check whether the return size is 1 byte. If not, revert will occur.This will cause all functions calling
_transferAndApproveToken
to revert. This includes callOutAndBridge and callOutAndBridgeMultiple.Proof of Concept
L175, the compiled code of
ERC20(_token).approve(_localPortAddress, _deposit)
is similar to the following:Copy the coded POC below to one project from Foundry and run
forge test -vvv
to prove this issue.Tools Used
Manual Review
Recommended Mitigation Steps
Use
safeApprove
from solady/utils/SafeTransferLib.sol.Assessed type
DoS
The text was updated successfully, but these errors were encountered: