Lack of safeApprove(0)
prevents some registrations, and the changing of stakers and LP tokens
#180
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
reviewed
Issues that Backd has reviewed (just for internal tracking, can ignore this)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L50
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/pool/LiquidityPool.sol#L721
Vulnerability details
OpenZeppelin's
safeApprove()
will revert if the account already is approved and the newsafeApprove()
is done with a non-zero valuehttps://github.com/OpenZeppelin/openzeppelin-contracts/blob/fcf35e5722847f5eadaaee052968a8a54d03622a/contracts/token/ERC20/utils/SafeERC20.sol#L45-L58
Impact
Customers can be prevented from
register()
ing the sametoken
/stakerVaultAddress
as another customer; and once changed away from, stakers and lptokens can't be used in the future.Proof of Concept
There are multiple places where
safeApprove()
is called a second time without setting the value to zero first.register()
callslockFunds()
for each user registration, and since users will use the same tokens and staker vaults, the second user'sregister()
call will fail:https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/actions/topup/TopUpAction.sol#L36-L50
The changing of either the staker or an lp token is behind a time-lock, and once the time has passed, the changed variables rely on this function:
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/pool/LiquidityPool.sol#L717-L722
If a bug is found in a new
staker
orlpToken
and the governor wishes to change back to the old one(s), the governor will have to wait for the time-lock delay only to find out that the old value(s) cause the code to revert.I've filed the other more-severe instances as a separate high-severity issue, and flagged the remaining low-severity instances in my QA report
Tools Used
Code inspection
Recommended Mitigation Steps
Always do
safeApprove(0)
if the allowance is being changed, or usesafeIncreaseAllowance()
The text was updated successfully, but these errors were encountered: