DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: medium
Invalid

DoS while Re-setting Previously Used Router in `setRouter`

Summary

The setRouter function allows a user with the onlyManagement role to update the router address. However, OpenZeppelin's safeApprove implementation introduces a restriction:
It is not possible to re-set a previously used router with a non-zero allowance unless the allowance is explicitly reset to zero beforehand.

Vulnerability Details

This occurs because safeApprove reverts when attempting to update a non-zero allowance directly, resulting in the error:
revert: SafeERC20: approve from non-zero to non-zero allowance.

While the function works seamlessly for setting a new router (one that has not been used before or has an allowance of zero), it fails for routers that were previously assigned and still have a non-zero allowance.

Impact

It becomes impossible to re-set a router that has already been used (and has a non-zero allowance) without resetting the allowance first.

Tools Used

Manual Review, Foundry

Recommendations

To allow re-setting a previously used router, the contract should first reset the allowance for the currently assigned router to zero before approving a new one. This approach complies with OpenZeppelin's safeApprove behavior.

Updates

Appeal created

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.