Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

```CapitalPool::approve``` missing return values for some ERC20 token

kiteweb3

Summary

Some ERC20 tokens (e.g. USDT, BNB, OMG) may incorrectly return false even when the operation was successful on approve. This inconsistency leads to incorrect assumptions about the success or failure of transactions in CapitalPool::approve.

Link: https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/CapitalPool.sol#L24-L39

Vulnerability Details

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(
RelatedContractLibraries.TOKEN_MANAGER
);
(bool success, ) = tokenAddr.call(
abi.encodeWithSelector(
APPROVE_SELECTOR,
tokenManager,
type(uint256).max
)
);
@> if (!success) {
revert ApproveFailed();
}
}

Impact

CapitalPool::approve expecting a return value might incorrectly assume an operation has failed due to incorrect return values, leading to tokens becoming "stuck" within the contract.

Tools Used

Manual review.

Recommendations

Implement a control that considers also this case.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

[invalid] finding-CapitalPool-approve-return-boolean

Invalid, low level call will always return true as long as the call succeeds without reverting, so this has no impact described, given approvals can only fail when some weird tokens do not allow a uint256.max approval, which is not described in any of the issues below.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.