Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

approve() return value not checked #115

Open
code423n4 opened this issue Jan 31, 2022 · 3 comments
Open

approve() return value not checked #115

code423n4 opened this issue Jan 31, 2022 · 3 comments
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working

Comments

@code423n4
Copy link
Contributor

Handle

sirhashalot

Vulnerability details

Impact

The approveToken() function in TreasuryManager.sol calls approve() on an ERC20 token, but does not check the return value of this call to confirm it completed as expected. Some tokens do not follow the ERC20 specifications as expected and do not revert if the approve failed, but checking if the function returns true can help to catch these edge cases.

This finding was identified in the last Notional contest as a medium risk, but I conservatively marked it as low risk.

Proof of Concept

Line 79 of TreasuryManager.sol is where approve() is called without any return value checks

Recommended Mitigation Steps

Check the return value of ERC20 operations to validate that they were successfully completed.
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Jan 31, 2022
code423n4 added a commit that referenced this issue Jan 31, 2022
@code423n4
sirhashalot issue #115
a9ad39b
@jeffywu jeffywu added the duplicate This issue or pull request already exists label Feb 6, 2022
@jeffywu
Copy link
Collaborator

jeffywu commented Feb 6, 2022

Duplicate #146

@pauliax
Copy link
Collaborator

pauliax commented Feb 12, 2022

approveToken is an external function only callable by the owner, so an owner can reset the approval first if necessary. I am marking this issue as a non-critical recommendation.

@pauliax pauliax reopened this Feb 12, 2022
@pauliax pauliax added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments duplicate This issue or pull request already exists labels Feb 12, 2022
@pauliax
Copy link
Collaborator

pauliax commented Feb 12, 2022

Making this a primary issue as it contains the most concise description.

This was referenced Feb 12, 2022
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeffywu @pauliax @code423n4 @CloudEllie