Approve will not revert on call failure due to missing return value
Summary
Checking bool return of ERC20 approve breaks protocol for mainnet USDT and similar tokens which don't return true
As a result, if the call fails the boolean will still return true for those specific tokens.
Vulnerability Details
All tokens that implement the ERC20-Standard are in scope, which includes tokens such USDT & BNB.
For USDT, the approve function does not return a boolean value. This means that even if the approve were to fail, the bool would still be set to true and the approve within the contract will pass.
Impact
Protocol won't work with USDT and similar tokens
Tools Used
Manual Review
Recommendations
Use SafeApprove.
Lead Judging Commences
[invalid] finding-CapitalPool-approve-return-boolean
Invalid, low level call will always return true as long as the call succeeds without reverting, so this has no impact described, given approvals can only fail when some weird tokens do not allow a uint256.max approval, which is not described in any of the issues below.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.