MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The function `editParams` encounters issues with USDT due to approval constraints.

Krace

Summary

The owner is unable to set a new SwapParams if one of the unchanged tokens is USDT. Because the approval for the unchanged token is not reset to zero, resulting in a direct revert of USDT's approval.

Vulnerability Details

When modifying the SwapParams, editParams will reset the approval to zero only if the new tokens are different from the old tokens. If the new tokens are the same as the old tokens, the approval will remain unchanged.

function editParams(SwapParams memory newParams_) external onlyOwner {

if (params.tokenIn != newParams_.tokenIn) {

TransferHelper.safeApprove(params.tokenIn, router, 0);

TransferHelper.safeApprove(params.tokenIn, nonfungiblePositionManager, 0);

}

if (params.tokenOut != newParams_.tokenOut) {

TransferHelper.safeApprove(params.tokenOut, nonfungiblePositionManager, 0);

}

_editParams(newParams_);

}

In _editParams, the approve method is invoked even if the new token is the same as the old token. If a token, particularly USDT, hasn't changed, its approve method will still be called, leading to failure since its previous approval number is not set to 0.

function _editParams(SwapParams memory newParams_) private {

require(newParams_.tokenIn != address(0), "L2TR: invalid tokenIn");

require(newParams_.tokenOut != address(0), "L2TR: invalid tokenOut");

TransferHelper.safeApprove(newParams_.tokenIn, router, type(uint256).max);

TransferHelper.safeApprove(newParams_.tokenIn, nonfungiblePositionManager, type(uint256).max);

TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);

params = newParams_;

}

This is the code of approve, the comment says that you first have to reduce the addresses allowance to zero by calling approve(_spender, 0), or it will revert.

function approve(address _spender, uint _value) public onlyPayloadSize(2 * 32) {

// To change the approve amount you first have to reduce the addresses`

// allowance to zero by calling `approve(_spender, 0)` if it is not

// already 0 to mitigate the race condition described here:

// https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729

require(!((_value != 0) && (allowed[msg.sender][_spender] != 0)));

allowed[msg.sender][_spender] = _value;

Approval(msg.sender, _spender, _value);

}

Impact

The owner is unable to set a new SwapParams if the unchanged token is USDT, as the approval for the unchanged token is not reset to zero, resulting in a direct revert of USDT's approval.

Tools Used

Manual Review

Recommendations

Ensure the approval is set to zero, even if the new tokens are the same as the old tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.