DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Invalid

SafeERC20.safeApprove reverts for changing existing approvals

Summary

The setRouter function in StrategyArb and StrategyOp uses SafeERC20.safeApprove to grant the router an unlimited allowance for the underlying token. However, SafeERC20.safeApprove reverts when an existing non-zero allowance is modified to another non-zero value without being reset to zero first. This behavior can cause the function to fail if the same router is re-used or re-assigned after a previous approval. As a result, once the router is changed, it becomes impossible to revert to a previously used router.

Vulnerability Details

The SafeERC20.safeApprove function follows the best practice of resetting existing allowances to zero before setting a new non-zero allowance. If a previously used router is re-assigned, the approval process will revert due to this restriction. The safeApprove will revert if existing allowance is non zero due to check-

require(
(value == 0) || (token.allowance(address(this), spender) == 0),
"SafeERC20: approve from non-zero to non-zero allowance"
);

Impact

  1. If a previously approved router needs to be reassigned, the transaction will revert due to checks in safeApprove

Recommendations

To address this issue, modify the setRouter function to reset the approval of previous router to zero before granting a new allowance to new router.

function setRouter(address _router) external onlyManagement {
// Revoke approval for the current router
+ underlying.safeApprove(router, 0);
// Update router and grant new approval
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.