Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TransferHelper.safeApprove(_token, _target, _amount); does not approve 0 first. #1892

Closed
code423n4 opened this issue Sep 5, 2023 · 6 comments
Closed

TransferHelper.safeApprove(_token, _target, _amount); does not approve 0 first. #1892

code423n4 opened this issue Sep 5, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1662 edited-by-warden low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

code423n4 commented Sep 5, 2023
edited by captainmangoC4
Loading

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/libraries/TransferHelper.sol#L6-L15
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/amo/UniV3LiquidityAmo.sol#L146-L148
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L150-L163

Vulnerability details

Impact

These are the functions that call TransferHelper.safeApprove and can be reverted due to SafeERC20.safeApprove. It makes impossible to change just one address for ReLPContract and PerpetualAtlanticVault.

  • ReLPContract.setAddresses
  • V3Amo.approveTarget
  • PerpetualAtlanticVault.setAddress reverts if called twice and some arguments remain the same. This is shown below.

Proof of Concept

The comment says it approves 0 first, but actually TransferHelper.safeApprove does not approves 0 first.
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/libraries/TransferHelper.sol#L6-L15

Add tests/perp-vault/POC.sol and run forge test --mt test_setAddresses.

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.19;

import { Test } from "forge-std/Test.sol";

import { ERC721Holder } from "@openzeppelin/contracts/token/ERC721/utils/ERC721Holder.sol";
import { Setup } from "./Setup.t.sol";
import { PerpetualAtlanticVault } from "contracts/perp-vault/PerpetualAtlanticVault.sol";
import { OptionPricingSimple } from "contracts/libraries/OptionPricingSimple.sol";
import { console } from "forge-std/console.sol";

contract POC is ERC721Holder, Setup {
    // ================================ CORE ================================ //
    function test_setAddresses() external {
        vm.expectRevert("SafeERC20: approve from non-zero to non-zero allowance");
        vault.setAddresses(
            address(1),
            address(priceOracle),
            address(volOracle),
            address(1),
            address(rdpx),
            address(vaultLp),
            address(this)
        );
    }
}

Tools Used

Manual, foundry

Recommended Mitigation Steps

  1. Use SafeERC20.forceApprove. It approves 0 if necessary. https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/utils/SafeERC20.sol#L76
  2. You can also use SafeERC20.increaseAllowance and decreaseAllowance instead.

Assessed type

Other
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 5, 2023
code423n4 added a commit that referenced this issue Sep 5, 2023
@code423n4
qpzm issue #1892
5f7b038
@c4-pre-sort
Copy link

bytes032 marked the issue as duplicate of #928

@c4-pre-sort
Copy link

bytes032 marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 11, 2023
@bytes032
Copy link

Mentions only OOS

@c4-pre-sort c4-pre-sort reopened this Sep 11, 2023
@c4-pre-sort
Copy link

bytes032 marked the issue as not a duplicate

@c4-pre-sort
Copy link

bytes032 marked the issue as duplicate of #1662

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Oct 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 6, 2023

GalloDaSballo marked the issue as unsatisfactory:
Out of scope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1662 edited-by-warden low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@code423n4 @captainmangoC4 @c4-judge @c4-pre-sort @bytes032