Unchecked Call Return Value
Summary
The approve function performs a low-level call to tokenAddr. If the call fails, the transaction will revert. However, using low-level calls without checking return values can lead to unnoticed failures or unexpected behaviours.
Vulnerability Details
A malicious token contract could always return true, even if the approve call fails or does something malicious. This could lead to unauthorised transfers or other unexpected behaviour
Impact
If an attacker manages to bypass the approval mechanism, they could potentially drain the entire token balance of the contract. The loss would depend on the balance of the token at the time of the attack but could be catastrophic if the contract holds significant funds
Tools Used
Manual review
CODE SNIPPET
Recommendations
Use the IERC20 interface and it's approve function to avoid low-level calls
Lead Judging Commences
[invalid] finding-CapitalPool-approve-return-boolean
Invalid, low level call will always return true as long as the call succeeds without reverting, so this has no impact described, given approvals can only fail when some weird tokens do not allow a uint256.max approval, which is not described in any of the issues below.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.