Tadle
Tadle
DeFi
30,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Transaction always revertes when approved type(uint256).max

0xgenaudits

Summary

Weird Tokens: https://github.com/d-xo/weird-erc20?tab=readme-ov-file#revert-on-large-approvals--transfers

Certain ERC-20 tokens do not support the approve function with the type(uint256).max value.
This issue arises when attempting to approve a maximum possible value for token transfers,
which can lead to transaction always revert.

Vulnerability Details

The approve function in ERC-20 tokens is used to authorize a spender to withdraw tokens from the caller's account.
A common practice is to use type(uint256).max as the approval amount to grant unlimited access to the spender.
However, some tokens are not designed to handle this maximum value and will revert transactions when such a large amount is used.

file: https://github.com/Cyfrin/2024-08-tadle/blob/main/src/core/CapitalPool.sol#L32

function approve(address tokenAddr) external {
address tokenManager = tadleFactory.relatedContracts(RelatedContractLibraries.TOKEN_MANAGER);
(bool success, ) = tokenAddr.call(
@>>> abi.encodeWithSelector(APPROVE_SELECTOR, tokenManager, type(uint256).max)
);
if (!success) revert ApproveFailed();
}

Impact

transaction failure, transactions attempting to approve type(uint256).max will always fail.

Tools Used

Recommendations

use lower values for approvals instead of type(uint256).max, Only approve appropriate amounts before transfer.

- function approve(address tokenAddr) external {
+ function approve(address tokenAddr, uint256 amount) external {
address tokenManager = tadleFactory.relatedContracts(RelatedContractLibraries.TOKEN_MANAGER);
(bool success, ) = tokenAddr.call(
- abi.encodeWithSelector(APPROVE_SELECTOR, tokenManager, type(uint256).max)
+ abi.encodeWithSelector(APPROVE_SELECTOR, tokenManager, amount)
);
if (!success) revert ApproveFailed();
}
Updates

Lead Judging Commences

0xnevi Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

[invalid] finding-CapitalPool-approve-uint256-max

Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```

Appeal created

kiteweb3 Judge
10 months ago
0xnevi Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[invalid] finding-CapitalPool-approve-uint256-max

Thanks for flagging, indeed since uint(-1) is representative of max uint256 value, when entering the `if` statement, it will be converted to uint96 max amout, so it will not revert as described. In issue #361, the mockToken utilized does not correctly reflect the below approval behavior. ```Solidity function approve(address spender, uint rawAmount) external returns (bool) { uint96 amount; if (rawAmount == uint(-1)) { amount = uint96(-1); } else { amount = safe96(rawAmount, "Comp::approve: amount exceeds 96 bits"); } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.