Use of deprecated safeApprove()
function
#5
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/CitadelMinter.sol#L133
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/CitadelMinter.sol#L136
Vulnerability details
Impact
In
CitadelMinter.sol
theinitialize()
function makes use ofsafeApprove()
. OpenZeppelinssafeApprove()
implementation is deprecated. Using this deprecated function can lead to unintended reverts and potentially the locking of user funds.Proof of Concept
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/CitadelMinter.sol#L133
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/CitadelMinter.sol#L136
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38
OpenZeppelin/openzeppelin-contracts#2219
Tools Used
Manual code review
Recommended Mitigation Steps
Consider replacing safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance()
The text was updated successfully, but these errors were encountered: