Incompatibility with USDT as collateral due to non-standard `approve` implementation
Summary
The _registerCollateralToken function attempts to approve the Aave V3 Pool (_aaveV3Pool) for an unlimited allowance of the collateral token. However, if the collateral token is USDT on Ethereum Mainnet, the transaction will revert due to USDT's non-standard approve implementation, which does not return a boolean value as expected by OpenZeppelin's IERC20 interface.
Vulnerability Details
The function _registerCollateralToken calls:
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);
USDT's approve function does not return a boolean value, whereas OpenZeppelin's IERC20 interface expects a bool return type. When compiled and executed, this mismatch causes a revert in Solidity 0.8+ because the function signature does not align with the expected interface. As a result, the contract will fail to register USDT as a collateral token, preventing its use in the system.
Impact
USDT is one of the most widely used stablecoins in DeFi. The inability to register USDT as collateral** limits protocol** adoption and usability.
Any attempt to register USDT as a collateral token will always fail, making the system incompatible with one of the most liquid assets in the ecosystem.
The issue may also extend to other ERC20 aave supported tokens that do not strictly follow the OpenZeppelin
IERC20standard.
Tools Used
Manual Review
Recommendations
Use OpenZeppelin’s SafeERC20 Library:
Replace the direct approve call with SafeERC20.safeApprove, which accounts for non-standard tokens like USDT:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.