Approval is not reset if the call to IFulfillHelper fails #31
Labels
3 (High Risk)
bug
Something isn't working
sponsor confirmed
Yes, this is a problem and we intend to fix it.
Handle
pauliax
Vulnerability details
Impact
Function fulfill first approves the callTo to transfer an amount of toSend tokens and tries to call IFulfillHelper but if the call fails it transfers these assets directly. However, in such case the approval is not reset so a malicous callTo can pull these tokens later:
// First, approve the funds to the helper if needed
if (!LibAsset.isEther(txData.receivingAssetId) && toSend > 0) {
require(LibERC20.approve(txData.receivingAssetId, txData.callTo, toSend), "fulfill: APPROVAL_FAILED");
}
Recommended Mitigation Steps
Approve should be placed inside the try/catch block or approval needs to be reset if the call fails.
The text was updated successfully, but these errors were encountered: