`CapitalPool::approve` will not work for tokens that revert on large approvals
Summary
The approve function of CapitalPool approves the max type(uint256).max amount to the token manager, but certain tokens don't work for large approvals will make the approvals of tokens fail, as a result of which no token can be approved to token manager contract.
Vulnerability Details
The vulnerability is present in the
approvefunction because to it approves the uint256 max amount to token manager, which won't work with tokens that revert on larger approvals.The
approvefunction plays a crucial role in approving the tokens to be spent by token manager, where token manager is responsible for the distribution of tokens to users. The CapitalPool stores all the tokens, and by approving them to token manager, the token manager can spend them and transfer it to users.But due to no approval can be made, the transfers will face a DoS.
Impact
No transfers can be made from token manager to users, as the approvals will revert.
Tools Used
Manual Review
Recommendations
Instead of approving the uint256 max amount, make the approve function takes an extra parameter specifying the amount to transfer, and in the TokenManager::_transfer function always call the approve function with the desired amount to be sent to user, whenever _from is capital pool address.
Lead Judging Commences
[invalid] finding-CapitalPool-approve-uint256-max
Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```
Appeal created
[invalid] finding-CapitalPool-approve-uint256-max
Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.