Missing Approval for Protocol to Spend Users' EUROs Tokens Causes `burn()` Function to Fail
Description:
When a user calls SmartVaultV3::burn() to burn EUROs, the function invokes ERC20::transferFrom() to transfer fees, which is used to allow a spender to spend funds on behalf of the owner. However, this function requires the owner to pre-approve the spender to spend a specified amount of tokens from their account.
Impact:
Poor user experience results from transactions failing without users understanding the reason or how to resolve it. This may contribute to increased user apathy towards the platform.
Tools Used:
Manual review
Recommended Mitigation Steps:
Two alternative solutions are available, each with its trade-offs between higher security and improved user experience:
-
Add a
requirestatement prompting users to approve the contract to spend the required amount from their account for the transaction to succeed. -
Set the contract's allowance on users' accounts to a sufficiently large value the first time they use the platform. This way, users won't need to repeat the approval process every time they interact with the protocol.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.