Use of deprecated safeApprove()
function
#7
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/Funding.sol#L142
Vulnerability details
Impact
In
Funding.sol
theinitialize()
function makes use ofsafeApprove()
. OpenZeppelinssafeApprove()
implementation is deprecated. Using this deprecated function can lead to unintended reverts and potentially the locking of user funds.Proof of Concept
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/Funding.sol#L142
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/566a774222707e424896c0c390a84dc3c13bdcb2/contracts/token/ERC20/utils/SafeERC20.sol#L38
OpenZeppelin/openzeppelin-contracts#2219
Tools Used
Manual code review
Recommended Mitigation Steps
Consider replacing safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance()
The text was updated successfully, but these errors were encountered: