Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`setWithdrawalPool` function may not work for some tokens that don't support approve type(uint256).max.

ManuelSage321

Summary

setWithdrawalPool may not work for some tokens that don't support approve type(uint256).max.

Vulnerability Details

The setWithdrawalPool function aims to establish a withdrawal pool for managing Liquid Staking Tokens (LSTs). However, some LSTs may not support setting an approval limit of type(uint256).max.

This code snippet in the setWithdrawalPool function use safeApprove to set the maximum allowance for the withdrawal pool:

function setWithdrawalPool(address _withdrawalPool) external onlyOwner {
if (address(withdrawalPool) != address(0)) {
IERC20Upgradeable(address(stakingPool)).safeApprove(address(withdrawalPool), 0);
token.safeApprove(address(withdrawalPool), 0);
}
IERC20Upgradeable(address(stakingPool)).safeApprove(_withdrawalPool, type(uint256).max);
token.safeApprove(_withdrawalPool, type(uint256).max);
withdrawalPool = IWithdrawalPool(_withdrawalPool);
}

some LSTs tokens do not support approvals of (uint256).max attempting to do so may result reverts and reduced usability.

Impact

Tokens that do not support safeApprove (uint256).max will become problematic during withdrawal process and causing frustration for users.

Tools Used

Manual

Recommendations

I would suggest approve only the necessary amount of token to the withdrawalPool instead of the type(uint256).max .

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.