stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Invalid

Incompatible Approvals Halt Rewards for UNI, COMP and Others

Summary

The approveRewardTokens function in the contract attempts to approve unlimited allowances for tokens, potentially exceeding the maximum allowance supported by certain popular tokens like UNI and COMP. This could lead to approval failures hindering reward distribution for those tokens.

Vulnerability Details

The contract's approveRewardTokens function attempts to approve maximum allowances (type(uint256).max) for tokens.

function approveRewardTokens(address[] calldata _tokens) external onlyOwner {
address router = getRouter();
for (uint256 i = 0; i < _tokens.length; i++) {
IERC20(_tokens[i]).safeApprove(router, type(uint256).max); // Attempt to approve unlimited allowance
}

Certain popular tokens, including UNI and COMP have restrictions and only support allowances up to type(uint96).max.

Impact

Exceeding this limit during approval results in failures preventing reward distribution for these tokens.

Tools Used

Manual Review

Recommendations

Adjust the function to set allowances to type(uint96).max. Once an allowance is consumed, incorporate logic to automatically re-approve up to type(uint96).max ensuring continued functionality.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.