Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 37/42
Findings: 1
Award: $124.98
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
124.9825 USDC - $124.98
Some tokens, like USDT (see requirement line 199), require first reducing the address allowance to 0 by calling approve(_spender, 0) and then approve the actual allowance.
When using one of these unsupported tokens, all transactions revert and the protocol cannot be used.
pcv/compound/ERC20CompoundPCVDeposit.sol#L31
Manual review
Approve with a zero amount first before setting the actual amount:
token.approve(address(cToken), 0); // @audit-info add this line to reduce allowance to 0 first token.approve(address(cToken), amount);
#0 - ElliotFriedman
2022-04-07T21:10:54Z
USDT or other non-standard ERC20 tokens will not be allowed into the PCV ever so this issue is invalid.
#1 - ElliotFriedman
2022-04-11T19:25:19Z
#2 - ElliotFriedman
2022-04-11T19:40:47Z
#3 - JeeberC4
2022-05-03T22:10:07Z
Generating QA Report as warden did not submit one and judge downgraded issue, preserving original title: Missing approve(_spender, 0)