Incorrect ERC20 Allowance Handling Leading to Failed Collateral Token Registration
Description:
The _registerCollateralToken function uses approve instead of safeApprove for ERC20 token approvals. This creates compatibility issues with non-standard ERC20 tokens (e.g., USDT) that require allowances to be reset to zero before setting a new value.
Root Cause:
Direct Use of
approve: The code uses_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max), which does not handle tokens that revert on non-zero allowance changes.Non-Compliant ERC20 Tokens: Tokens like USDT on Ethereum enforce a "zero-reset" before increasing allowance, causing transactions to revert if not followed.
Impact:
Denial of Service (DoS): Collateral tokens requiring allowance resets (e.g., USDT) cannot be registered, breaking core functionality.
Reduced Protocol Utility: Inability to support widely used Aave collateral assets (Medium Severity).
Recommendation:
Replace approve with OpenZeppelin’s safeApprove to handle non-standard tokens:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.