Upgraded Q -> M from #164 [1674419095024] #670
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
duplicate-198
satisfactory
satisfies C4 submission criteria; eligible for awards
Judge has assessed an item in Issue #164 as M risk. The relevant finding follows:
[LOW‑1] The Contract Should approve(0) First
Some tokens (like USDT L199) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved.
Proof Of Concept
117: IERC20(assets[i]).approve(address(bondNFT), type(uint256).max);
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/Lock.sol#L117
652: IERC20(_marginAsset).approve(_stableVault, type(uint).max);
https://github.com/code-423n4/2022-12-tigris/tree/main/contracts/Trading.sol#L652
Recommended Mitigation Steps
Approve with a zero amount first before setting the actual amount.
The text was updated successfully, but these errors were encountered: