Second Buyer Creation Reverts Due to Pre-existing Approval If Swan.token() Uses A Token That Requires Zero Approval Before Re-approving Such As USDT
Summary
In the BuyerAgent contract, if the Swan contract's designated token is USDT, a user’s attempt to create a BuyerAgent for the second time will fail. This occurs because of a max approval set during BuyerAgent deployment in the constructor. Certain tokens, like USDT, require the allowance to be reset to zero before re-approval; without this, subsequent calls to the createBuyer function will revert.
Vulnerability Details
The BuyerAgent contract constructor grants a max allowance to the swan.coordinator and swan addresses:
For tokens like USDT, a non-zero allowance cannot be modified directly to another value without first being set to zero. If USDT is designated as the token in Swan.sol, attempts to create a second BuyerAgent with the createBuyer function will revert upon reaching the approve call due to the existing non-zero allowance.
Impact
Swancontract designates USDT as the payment token.A user deploys a
BuyerAgentusing thecreateBuyerfunction, which sets amaxallowance toswan.coordinatorandswan.The user attempts to deploy a second
BuyerAgentusingcreateBuyer.The transaction fails when the contract attempts to set a
maxapproval on USDT without first resetting it to zero.
Recommendations
Use safeApprove, which resets the allowance to zero before setting a new value, to prevent reverts when handling tokens like USDT.
Replace the following in the constructor:
With:
This adjustment ensures compatibility with tokens requiring a zero-allowance reset, thus supporting repeated BuyerAgent deployments with any designated token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.