Inadequate ERC-20 Token Approval Reset in distributeFees()
Summary
The distributeFees() function in the LiquidationPoolManager contract lacks a crucial step in handling ERC-20 token approvals. It does not reset the approval to zero before setting a new approval amount, which could pose a security risk, especially with tokens that require such a step.
Vulnerability Details
The distributeFees() function aims to distribute fees to the associated LiquidationPool and transfer the remaining EUROs to a protocol address. However, the code snippet below demonstrates a potential security concern related to ERC-20 token approvals:
The code snippet raises concern as it may not adhere to the approval requirements of certain ERC-20 tokens, such as USDT, which necessitate resetting approval to zero before setting a new value. This omission might lead to potential vulnerabilities, especially when interacting with tokens that follow stricter approval procedures.
Impact
unsafe ERC20 approve that do not handle non-standard erc20 behavior. 1.Some token contracts do not return any value. 2.Some token contracts revert the transaction when the allowance is not zero.
Tools Used
Manual
Recommendations
It is recommended to include a step to reset the approval to zero before setting a new value/ set the allowance to zero before increasing the allowance and use safeApprove/safeIncreaseAllowance.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.