CapitalPool - DoS when approving tokens
Summary
Some ERC20 tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. For example, Tether (USDT)'s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals.
The problem here is that the CapitalPoolnever checks for the allowance of the token, always approving it with type(uint256).max.
Vulnerability Details
This will cause some tokens to revert when updating the allowance. They must first be approved by zero and then the actual allowance must be approved.
Impact
USDT or other ERC20 tokens that do not return a boolean for approval will cause DoS on the market, preventing users from trading.
Tools Used
Manual Review
Recommendations
Replace the current implementation with the SafeERC20.afeIncreaseAllowance from OZ.
Lead Judging Commences
[invalid] finding-CapitalPool-USDT-approve-zero-first
I believe this is invalid, - For weird ERC20s with front-running approval protection such as UDST (only known instance so far), max approval is likely only required to be invoked once, considering the supply cap of such tokens. (USDT supply is at 53.8 billion (53.8e9 * 1e9, so this is 100% sufficient) - If approvals are insufficient, a new proxy for tadle market can always be deployed via the TadleFactory contract and migrated
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.