Use forceApprove for collateral token contract
Summary
In AaveDIVAWrapperCore contract, inside the function _registerCollateralToken(), _collateralTokenContract.approve() is being called in line 116, which is not recommended in case of tokens like USDT.
Vulnerability Details
If an old ERC20 token is being registered as collateral by the owner of AaveDIVAWrapper, e.g. USDT, then there is a line which calls .approve() which can potentially prevent registering such a token as collateral.
For USDT (and similar tokens), if there is already a non-zero allowance, then the call to approve() with a non-zero value fails. So SafeERC20's forceApprove() is recommended, which first sets the allowance to zero in case it's required and only then sets it to the desired non-zero value.
Considering a legit owner, I didn't find any way to approve some non-zero value of _collateralTokenContract when it's not registered. There isn't a state change from registered to not-registered for a collateral token, that could've left some non-zero allowance which could've failed re-registration of such tokens. So practically there won't be such a scenario in which there would already be a non-zero allowance when the collateral is being registered.
Impact
There isn't any operational impact as per the current logic.
Tools Used
-
Recommendations
The use of forceApprove() is recommended in line 116 of AaveDIVAWrapperCore.sol for the collateral token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.