Submission Details
Impact:
Likelihood:
Unchecked `approve` for Aave `supply` May Fail Silently
Unchecked approve for Aave supply May Fail Silently
Description:
Before calling aavePool.supply, the contract does:
function _executeOpenOperation(address _asset, uint256 _amount, uint256 _premium, bytes calldata _params)
internal
returns (bool)
{
(, address user, FlashLoanParams memory flashParams) =
abi.decode(_params, (OperationType, address, FlashLoanParams));
// Step 1: Supply flash loan amount + user's extra amount to Aave as collateral
uint256 totalCollateral = _amount + flashParams.collateralAmount;
IERC20(_asset).approve(address(aavePool), totalCollateral);
aavePool.supply(_asset, totalCollateral, address(this), 0);
...
}
The return value of approve is not checked. Some ERC20s may return false instead of reverting, which could cause allowance not to be set as expected.
Impact:
If allowance is not correctly set, aavePool.supply can revert or behave unexpectedly, breaking the open-position flow.
Recommended Mitigation:
- IERC20(_asset).approve(address(aavePool), totalCollateral);
+ bool ok = IERC20(_asset).approve(address(aavePool), totalCollateral);
+ require(ok, "approve failed");
Updates
Lead Judging Commences
izuman 16 days ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
WEIRD ERC20 Tokens
Currently there is no support for weird ERC20 tokens i.e. FOT tokens, missing return values, reentrancy etc.
Rewards breakdown
nSLOC
356This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.