Did Not Approve To Zero First #391
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-104
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L110-L120
Vulnerability details
Impact
Inside the
Lock
contractclaimGovFees
function can be DOSed on tokens like USDT, KNC because token like this needs to first be approved to zero.In case
claimGovFees
reverts because a token like this. TheLock
contract functionality is compromised becauseclaimGovFees
is internally the first call in all the main contract methods:release
claim
claimDebt
lock
Notice:
The problem is that a token like this cannot be whitelisted with
Lock::editAsset
because it comes frombondNFT
state variable. And thisBondNFT
contract can add an unsupported token later withBondNFT::addAsset
. And once is added it cannot be removed. EvensetAllowedAsset
will not stop the DOSing becauseBondNFT::getAssets()
will still return the offending token.Proof of Concept
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L110-L120
Tools Used
Manual review
Recommended Mitigation Steps
Approve ERC20 token to zero first.
function claimGovFees() public { address[] memory assets = bondNFT.getAssets(); for (uint i=0; i < assets.length; i++) { uint balanceBefore = IERC20(assets[i]).balanceOf(address(this)); IGovNFT(govNFT).claim(assets[i]); uint balanceAfter = IERC20(assets[i]).balanceOf(address(this)); + IERC20(assets[i]).approve(address(bondNFT), 0); IERC20(assets[i]).approve(address(bondNFT), type(uint256).max); bondNFT.distribute(assets[i], balanceAfter - balanceBefore); } }
The text was updated successfully, but these errors were encountered: