Era
ZKsync
FoundryLayer 2
500,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Some tokens will fail in `L1ERC20Bridge._approveFundsToAssetRouter` because of no return value

mspenceya

Summary

Some tokens(like USDT) has no return value on approve function. This will cause revert with ApprovalFailed in _approveFundsToAssetRouter function.

Vulnerability Details

https://github.com/Cyfrin/2024-10-zksync/blob/cfc1251de29379a9548eeff1eea3c78267288356/era-contracts/l1-contracts/contracts/bridge/L1ERC20Bridge.sol#L230

_approveFundsToAssetRouter function is used to transfers tokens from the depositor address to the bridge. In between, it calls _token.approve to give allowance to L1_ASSET_ROUTER for the amount, which is required for latter deposit operation.
However, some tokens (like USDT) doesn't return value on approval. This will cause issue in the following line where success is checked:

function _approveFundsToAssetRouter(address _from, IERC20 _token, uint256 _amount) internal returns (uint256) {
uint256 balanceBefore = _token.balanceOf(address(this));
_token.safeTransferFrom(_from, address(this), _amount);
--> bool success = _token.approve(address(L1_ASSET_ROUTER), _amount);
if (!success) {
--> revert ApprovalFailed();
}
...
}

Impact

Deposit operations for some tokens like USDT will revert.

Tools Used

Manual Review

Mitigation Steps

Make sure success reflects correct status of approval. Consider using 3rd party like oOpenZeppelin.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`L1ERC20Bridge` Uses Unsafe Approvals - USDT won't work

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.