Incorrect Use of `safeIncreaseAllowance` for Non-Compliant Tokens (e.g., USDT)
Summary
The function _approveCollateralTokenForAave incorrectly uses OpenZeppelin’s safeIncreaseAllowance method to approve allowances for tokens like USDT on Ethereum. This method does not reset allowances to zero before setting a new value, violating the security requirements of non-compliant ERC20 tokens such as legacy USDT, which will cause transactions to revert.
Vulnerability Details
Affected Code:
Root Cause:
Non-Compliant Token Behavior: Tokens like legacy USDT enforce a security check that reverts transactions if the allowance is modified from a non-zero value without first resetting it to zero.
safeIncreaseAllowanceMechanism: The method reads the current allowance, increments it, and callsapprovewith the new total. It does not reset to zero first, making it incompatible with non-standard tokens.
Impact
Critical Protocol Failure: Transactions involving non-compliant tokens (e.g., USDT) will revert, preventing the protocol from approving allowances for Aave V3 interactions.
Operational Disruption: Users cannot deposit or manage collateral tokens that follow this non-standard behavior, degrading protocol functionality.
Tools Used
Manual Code Review
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.