The setRouter
function allows a user with the onlyManagement
role to update the router address. However, OpenZeppelin's safeApprove
implementation introduces a restriction:
It is not possible to re-set a previously used router with a non-zero allowance unless the allowance is explicitly reset to zero beforehand.
This occurs because safeApprove
reverts when attempting to update a non-zero allowance directly, resulting in the error:
revert: SafeERC20: approve from non-zero to non-zero allowance
.
While the function works seamlessly for setting a new router (one that has not been used before or has an allowance of zero), it fails for routers that were previously assigned and still have a non-zero allowance.
It becomes impossible to re-set a router that has already been used (and has a non-zero allowance) without resetting the allowance first.
Manual Review, Foundry
To allow re-setting a previously used router, the contract should first reset the allowance for the currently assigned router to zero before approving a new one. This approach complies with OpenZeppelin's safeApprove
behavior.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.