FraxPool.sol has an extra approve() on redemption functions

[jasonhuan]

In FraxPool.sol L242, L274-275, L296, there is an extra approve() which is not necessary for transferring the tokens back to the redeemer in collectRedemption(). This bug has been reported by @samczsun.

Link to bug:

frax-solidity/contracts/Frax/Pools/FraxPool.sol

Line 242 in d1cb9a7

collateral_token.approve(msg.sender, collateral_needed);

[jasonhuan]

This bug has been fixed in commit: c476638.

25,000 FXS will be rewarded, subject to bug bounty rules and vesting.

[ytrezq]

@corddry hi, I found an infinite inflation bug not on Ethereum but because of an L2 intrestic characteristics where msg.sender can be null. Where should I report it?

[samkazemian]

Hey @ytrezq is the bug referring to the same scope and file as fraxpool.sol as before? Or is it a new issue you want to open a new thread on? This issue topic is for a bug back from 2020.

Regardless, you can reach out to me on Telegram for secure communication using this link https://t.me/samkazemian

You can also reach out to Travis Moore on Telegram as well using this link https://t.me/FortisFortuna_89

[ytrezq]

@samkazemian It’s unrelated, but I don’t think it can be disclosed in public as once becoming a minter, getting infinite supply is a single transaction process.

[samkazemian]

Understood @ytrezq Can you let me know your Telegram username to communicate privately? My Telegram username is @samkazemian (the same as my github and my Twitter).

[ytrezq]

@samkazemian : Ok, I just sent you a message from @ytrezq on Telegram.

[FortisFortuna]

Just sent you a message on TG