Lucene search

K
code423n4Code4renaCODE423N4:2022-06-NOTIONAL-COOP-FINDINGS-ISSUES-75
HistoryJun 12, 2022 - 12:00 a.m.

Users cannot initialize() a proxy with a currencyId with a different maturity

2022-06-1200:00:00
Code4rena
github.com
6

Lines of code
<https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashBase.sol#L73&gt;

Vulnerability details

The wfCashBase.initialize sets the allowance for NotionalV2 to the assetToken and underlyingToken to the maximum using SafeApprove. However, according to <https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/utils/SafeERC20.sol#L53-L56&gt;, SafeApprove function requires that the current approval is 0 before setting the new one.
Therefore, if a user want to initialize the contract with a currencyId that has already been used before, because the transaction will revert because the allowance =! 0 (line 68 & line 73).

Recommendation:
Add assetToken.safeApprove(address(NotionalV2), 0) before line 68 and underlyingToken.safeApprove(address(NotionalV2), 0) before line 73


The text was updated successfully, but these errors were encountered:

šŸ‘Ž 2 0xlgtm and berndartmueller reacted with thumbs down emoji

All reactions

  • šŸ‘Ž 2 reactions