DoS due to approve in claimGovFees Lock.sol #277
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-198
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L117
Vulnerability details
Impact
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L117
Some ERC20 require approve set to zero before a approve can be done, like USDT https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code
So if USDT is added as an bondNFT asset, this approve call we be fail, and the claimGovFees will revert, causing DoS.
Proof of Concept
Code given above
Tools Used
None
Recommended Mitigation Steps
Remove approve and just send asset to bondNFT contract
The text was updated successfully, but these errors were encountered: