shealtielanz - Must Approve Zero First

[sherlock-admin]

shealtielanz

medium

Must Approve Zero First

Line of Issue

Summary

In the flashloan contract, if a certain condition is true, it approves the ironBank contract to an unlimited amount of tokens, without considering that the input token could revert if it isn't approved to zero first.

Vulnerability Detail

Take a look at the _loan function in the flashloan contract. Link here

        if (allowance < amount) {
            IERC20(token).safeApprove(ironbank, type(uint256).max);
        }

Here it just approves the IronBank to the desired amount, without considering tokens that revert with approving to zero first, and also safeApprove function is depreciated in real time, safeIncreaseAllowance or safeDecreaseAllowance should be used, due to race conditions and more.

Impact

Some tokens (like USDT) do not work when changing the allowance from an existing non-zero allowance value. They must first be approved by zero and then the actual allowance must be approved, meaning if called with such token the _loan function will always revert.

Code Snippet

• https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/flashLoan/FlashLoan.sol#LL106C1-L110C1

Tool used

Manual Review, A Little Research

Recommendation

While approving to zero is the most used and standard way, it has been depreciated so I would advise the developers to use the safeIncreaseAllowance or safeDecreaseAllowance function as it mitigates this issue.
A better way would be:

        if (allowance < amount) {
            IERC20(token). safeIncreaseAllowance(ironbank, type(uint256).max);
        }

But the more standard way would be:

        if (allowance < amount) {
            IERC20(token).safeApprove(ironbank, 0);
            IERC20(token).safeApprove(ironbank, type(uint256).max);
        }

Duplicate of #420

[shealtielanz]

Escalate for 10 USDC
This is a well know issue, tokens like usdt or usdc have to be first approved to zero, before being approved to the desired amount, the flashloan will be DOSed with tokens like that limiting its use, I request that the Sponsors do more research on this matter to verify.

[sherlock-admin]

Escalate for 10 USDC
This is a well know issue, tokens like usdt or usdc have to be first approved to zero, before being approved to the desired amount, the flashloan will be DOSed with tokens like that limiting its use, I request that the Sponsors do more research on this matter to verify.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[0xffff11]

The if statement will only be entered 1 time. Therefore it won't happen the approval from non-zero to x value. Invalid

[hrishibhat]

Result:
Invalid
Duplicate of #420
This is not a valid issue as pointed out by the Lead Judge as well and the Sponsor in #420

[sherlock-admin]

Escalations have been resolved successfully!

Escalation status:

• shealtielanz: rejected