Incompatibility in `L1ERC20Bridge` contract with ERC20 tokens that do not return boolean on approval (e.g., USDT)
Summary
The IERC20.approve function is utilized in the deposit and _approveFundsToAssetRouter functions of the L1ERC20Bridge contract. However, certain ERC20 tokens, like USDT, do not return a boolean value upon approval, leading to a revert during standard bridging operations.
Vulnerability Details
deposit function of L1ERC20Bridge contract is the entry point of a bridging operation that initiates a deposit by locking funds on the contract and sending the request. In order to deposit the token into L1_ASSET_ROUTER, it forgoes an approval action upon the bridging token asset.
_approveFundsToAssetRouter is called to do the job, which utilizes IERC20.approve function inside. Below is the definition of _approveFundsToAssetRouter:
There is an issue with the _token.approve with tokens such as USDT because certain ERC20 tokens don't strictly follow ERC20 standard and their approve functions don't return a boolean value reflecting the result of approval action. Hence, the success variable won't be true despite having completed approval action and _approveFundsToAssetRouter function will revert with ApprovalFailed error.
Note: Another usage of IERC20.approve is spotted inside despoit function, but it won't be reached in such cases as the function is already reverted with an error in _approveFundsToAssetRouter.
Impact
The issue causes a Denial of Service (DoS) in the L1ERC20Bridge contract for tokens whose approve function does not return a boolean, such as USDT, preventing these tokens from being bridged.
Tools Used
Manual Review
Recommendations
Use OpenZeppelin's SafeERC20.forceApprove instead of IERC20.approve
Lead Judging Commences
`L1ERC20Bridge` Uses Unsafe Approvals - USDT won't work
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.