[M] Lack of approval before transfering tokens in addUnderlying
Summary
In the Beanstalk protocol's addUnderlying function, token approvals are granted to external contracts for liquidity operations without checks on whether the approval amount is necessary or has already been granted.
This can lead to unnecessary gas costs and potential security risks if the approved contracts have vulnerabilities or are exploited.
Vulnerability Details
The approve function call in ERC-20 tokens is used to set a spending allowance for third-party contracts. In the addUnderlying function, the approve is called every time the function is executed, without checking if the allowance set is sufficient for the operation or if it has already been set appropriately.
This redundant approval can lead to wasted gas and inaccurate token allowances.
Impact
If no approval has happened before a transfer, the addUnderlying function will fail.
Not all IERC20 implementations revert() when there's a failure in approve(). The function signature has a boolean return value and they indicate errors that way instead. By not checking the return value, operations that should have marked as failed, may potentially go through without actually approving anything.
Tools Used
Manual Review
Recommendations
Use the approve method before conducting transfer of tokens.
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.