Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call to safeApprove without checking previous allowance in burnFees could result in locked funds #137

Closed
code423n4 opened this issue Jun 3, 2022 · 2 comments
Closed

Call to safeApprove without checking previous allowance in burnFees could result in locked funds #137

code423n4 opened this issue Jun 3, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists invalid This doesn't seem right

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L52

Vulnerability details

Impact

Using this deprecated function can lead to unintended reverts and potentially the locking of funds. A deeper discussion on the deprecation of this function is in OZ issue #2219 (OpenZeppelin/openzeppelin-contracts#2219).

Proof Of Concept

Refer to the burnFees function on line 35 of the RewardHandler contract (https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L35-L55).

function burnFees() external override {
    [...]
    feeBurner.burnToTarget{value: ethBalance}(tokens, targetLpToken);
    uint256 burnedAmount = IERC20(targetLpToken).balanceOf(address(this));
    IERC20(targetLpToken).safeApprove(address(bkdLocker), burnedAmount);
    [...]
}

Pool underlying tokens do correctly call the internal _approve function present in the RewardHandler contract that performs an allowance check before calling safeApprove (https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L46 & https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/RewardHandler.sol#L57-L65).

function _approve(address token, address spender) internal {
    if (IERC20(token).allowance(address(this), spender) > 0) return;
    IERC20(token).safeApprove(spender, type(uint256).max);
}

Tools Used

vim

Recommended Mitigation Steps

One potential mitigation would be to replace usage of safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance() instead. However, in the context of the RewardHandler.sol contract, it would be enough to use the internal _approve() function that has the additional check to ensure no previous allowance is outstanding, therefore preventing the locking of funds.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 3, 2022
code423n4 added a commit that referenced this issue Jun 3, 2022
@code423n4
bardamu issue #137
1544585
@chase-manning
Copy link
Collaborator

duplicate of #163

@chase-manning chase-manning added the duplicate This issue or pull request already exists label Jun 6, 2022
@GalloDaSballo
Copy link
Collaborator

Dup of #163

@GalloDaSballo GalloDaSballo added the invalid This doesn't seem right label Jun 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @chase-manning @code423n4