Incorrect approve() Handling for Tokens Without Return Values
Summary
A key vulnerability was identified regarding the approve function, which does not account for non-standard ERC-20 implementations, such as USDT on Ethereum mainnet. This issue could lead to transaction failures when interacting with such tokens.
Vulnerability Details
Incorrect Handling of approve() for Non-Standard ERC-20 Tokens
-
The contract calls
approve()on_collateralTokenContractand_wTokenContractwithout verifying whether the function returns a value. -
Some ERC-20 tokens, like USDT, do not return a boolean value as expected by the standard ERC-20 interface.
-
In Solidity 0.8+, this can cause unexpected reverts or silent failures when interacting with such tokens.
-
The affected code:
Impact
-
Potential Transaction Reverts: If an ERC-20 token does not return a value, the contract could fail when processing approvals.
-
Integration Issues: Since the contract supports stablecoins like USDT, this bug could impact users depositing USDT as collateral.
-
Reduced Token Compatibility: The contract may not work seamlessly with non-standard ERC-20 implementations, affecting usability and adoption.
Tools Used
-
Manual code review
-
OpenZeppelin’s ERC-20 standard documentation
-
Solidity documentation on function return types
-
Known ERC-20 behavior analysis (e.g., USDT on Ethereum)
Recommendations
Use OpenZeppelin’s
SafeERC20.safeIncreaseAllowance()instead ofapprove()to handle non-standard ERC-20 tokens correctly:
-
Consider implementing a fallback mechanism for tokens that do not support approve() correctly.
-
Test with non-standard ERC-20 tokens like USDT to ensure compatibility.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.