`UNI`, `COMP` and other ERC-20 tokens unable to be used for airdrops in `SablierV2MerkleLL.sol` and `SablierV2MerkleLT.sol` contracts
Summary
The contracts SablierV2MerkleLL.sol and SablierV2MerkleLT.sol can not utilize UNI, COMP and lot of copy-cats for airdrops because of the way the forceApprove function is implemented.
Vulnerability Details
In the constructor of the SablierV2MerkleLL.sol and SablierV2MerkleLT.sol contracts, the forceApprove function is called to approve the LOCKUP_TRANCHED and LOCKUP_LINEAR contracts to spend the ASSET token. However, the current implementation prevents the protocol to be used by various ERC-20 tokens like UNI, COMP and lot of copy-cats since the allowance is hard coded to type(uint256).max. As we can see these tokens revert the transaction if the allowance is set to type(uint256).max.
Impact
This vulnerability prevents the contract to be used from various ERC-20 tokens which are developed like UNI and that leads to a limitation in the protocol.
Tools Used
Manual review
Recommendations
Consider approving uint(-1) which according to the logic of these contracts means infinite :
Lead Judging Commences
ERC20 UNI and COMP Revert on Large Approvals
ERC20 UNI and COMP Revert on Large Approvals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.