AssetLogic :Must safeApprove 0 first #75
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
2 (Med Risk)
|
Duplicate of #154 |
|
Duplicate of #154 |
|
While it is a duplicate of a more severe issue, this warden has failed to explain this properly. Downgrading to |
0xleastwood
added
QA (Quality Assurance)
Eh, it seems most dupes of the primary issue are similar in this sense. Might as well put them all on the same level of severity. |
0xleastwood
added
2 (Med Risk)
|
Upon further thought, there is no mention of impact in how funds are handled during bridge transfers. Will downgrade to |
0xleastwood
added
QA (Quality Assurance)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/libraries/AssetLogic.sol#L347-L348
Vulnerability details
Impact
The safeApprove() function cannot set a non-zero value to a non-zero value, so before safeApprove a non-zero value, you need to safeApprove 0.
Proof of Concept
https://github.com/code-423n4/2022-06-connext/blob/4dd6149748b635f95460d4c3924c7e3fb6716967/contracts/contracts/core/connext/libraries/AssetLogic.sol#L347-L348
Tools Used
None
Recommended Mitigation Steps
Use safeApprove(_spender, 0) to set the allowance to zero immediately before each of the existing safeApprove() calls.
The text was updated successfully, but these errors were encountered: