Submission Details
Impact:
Likelihood:
Unchecked `approve` for Aave `supply` May Fail Silently
Author Revealed upon completion
Unchecked approve for Aave supply May Fail Silently
Description:
Before calling aavePool.supply, the contract does:
function _executeOpenOperation(address _asset, uint256 _amount, uint256 _premium, bytes calldata _params)
internal
returns (bool)
{
(, address user, FlashLoanParams memory flashParams) =
abi.decode(_params, (OperationType, address, FlashLoanParams));
// Step 1: Supply flash loan amount + user's extra amount to Aave as collateral
uint256 totalCollateral = _amount + flashParams.collateralAmount;
IERC20(_asset).approve(address(aavePool), totalCollateral);
aavePool.supply(_asset, totalCollateral, address(this), 0);
...
}
The return value of approve is not checked. Some ERC20s may return false instead of reverting, which could cause allowance not to be set as expected.
Impact:
If allowance is not correctly set, aavePool.supply can revert or behave unexpectedly, breaking the open-position flow.
Recommended Mitigation:
- IERC20(_asset).approve(address(aavePool), totalCollateral);
+ bool ok = IERC20(_asset).approve(address(aavePool), totalCollateral);
+ require(ok, "approve failed");
Rewards breakdown
nSLOC
356This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.