First Flight #21: KittyFi
First Flight #21
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

KittyVault not approved to spend user collateral

cryptedoji

Summary

calling KittyPool::depawsitMeowllateral will revert since the collateral vault is not approved to spend the user's collateral token.

Vulnerability Details

In KittyPool::depawsitMeowllateral, since the KittyVault contract of that token isn't approved to transfer the user's collateral token, the safeTransferFrom implemented in KittyVault::executeDepawsit will not work automatically except the user manually approves the vault before calling KittyPool::depawsitMeowllateral . this is poor UX design leading to potential DoS for users.

PoC

function test_UserCannotDepositsWithoutApproval() public {
uint256 toDeposit = 5 ether;
vm.startPrank(user);
vm.expectRevert();
kittyPool.depawsitMeowllateral(weth, toDeposit);
vm.stopPrank();
}

Impact

  • poor UX leading to potential DoS except in rare cases where the user is either a smart contract developer or she is highly knowledgeable about how ERC20s work

Tools Used

  • manual review

  • foundry test

Recommendations

function depawsitMeowllateral(address _token, uint256 _ameownt) external tokenExists(_token) {
+ _token.approve(tokenToVault[_token],_ameownt);
IKittyVault(tokenToVault[_token]).executeDepawsit(msg.sender, _ameownt);
}
Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.