Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-06-NOTIONAL-COOP-FINDINGS-ISSUES-75
HistoryJun 12, 2022 - 12:00 a.m.

Users cannot initialize() a proxy with a currencyId with a different maturity

2022-06-1200:00:00
Code4rena
github.com
6
safeapprove
notionalv2
erc20
JSON

Lines of code
<https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashBase.sol#L73&gt;

Vulnerability details

The wfCashBase.initialize sets the allowance for NotionalV2 to the assetToken and underlyingToken to the maximum using SafeApprove. However, according to <https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/utils/SafeERC20.sol#L53-L56&gt;, SafeApprove function requires that the current approval is 0 before setting the new one.
Therefore, if a user want to initialize the contract with a currencyId that has already been used before, because the transaction will revert because the allowance =! 0 (line 68 & line 73).

Recommendation:
Add assetToken.safeApprove(address(NotionalV2), 0) before line 68 and underlyingToken.safeApprove(address(NotionalV2), 0) before line 73

The text was updated successfully, but these errors were encountered:

šŸ‘Ž 2 0xlgtm and berndartmueller reacted with thumbs down emoji

All reactions

  • šŸ‘Ž 2 reactions
JSON