Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Some ERC-20 Standard Tokens Reverting on Maximum Approval

hunter_w3b

Summary

As the protocol states:

- ERC20 (any token that follows the ERC20 standard)

UNI and COMP follow the ERC20 standard, but the CapitalPool contract encounters issues when interacting with them due to their special logic in the approve function. Specifically, these tokens revert when a maximum approval (uint256(-1)) is attempted, due to internal handling that limits the approval value to type(uint96).max. This behavior is inconsistent with other ERC-20 tokens and may cause the approve function in the CapitalPool contract to fail.

Vulnerability Details

The vulnerability arises from the assumption that all ERC-20 tokens will handle a maximum approval value of uint256(-1) in a uniform manner. However, tokens like UNI and COMP have specialized logic that caps the approval value at type(uint96).max when the input value is uint256(-1). This discrepancy can lead to a revert when the PreMarkets contract attempts to approve a maximum value, causing the approve transaction to fail.

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
if (!success) {
revert ApproveFailed();
}
}

In this code, the contract attempts to set the allowance to type(uint256).max for the specified tokenAddr. When this function interacts with tokens like UNI and COMP, the transaction may revert due to the aforementioned special handling.

Impact

If not addressed, this issue can cause approval transactions to fail.

Tools Used

Manual review

Recommendations

Implement logic in the CapitalPool contract to detect if the token in question has special handling for maximum approvals.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

[invalid] finding-CapitalPool-approve-uint256-max

Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```

Appeal created

kiteweb3 Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-CapitalPool-approve-uint256-max

Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.