Platform: Code4rena
Start Date: 05/05/2022
Pot Size: $125,000 DAI
Total HM: 17
Participants: 62
Period: 14 days
Judge: leastwood
Total Solo HM: 15
Id: 120
League: ETH
Rank: 46/62
Findings: 1
Award: $188.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, 0xsomeone, AuditsAreUS, BouSalman, BowTiedWardens, Cityscape, Funen, GimelSec, Hawkeye, JC, MaratCerby, MiloTruck, Picodes, Ruhum, TerrierLover, WatchPug, Waze, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, ellahi, fatherOfBlocks, hake, horsefacts, hyh, jayjonah8, joestakey, kebabsec, kenta, mics, oyc_109, robee, samruna, shenwilly, sikorico, simon135, throttle, tintin
188.8964 DAI - $188.90
safeApprove() functionhttps://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemistV2.sol#L382 https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemistV2.sol#L383
In AlchemistV2.sol the addYieldToken() function makes use of safeApprove from Open Zeppelin. The safeApprove implementation is deprecated. Using this deprecated function can lead to unintended reverts and potentially the locking of user funds.
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemistV2.sol#L382
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-full/AlchemistV2.sol#L383
https://github.com/OpenZeppelin/openzeppelin-contracts/issues/2219
Manual code review
Consider replacing safeApprove() with safeIncreaseAllowance() or safeDecreaseAllowance() instead.
#0 - 0xfoobar
2022-05-30T06:31:28Z
Sponsor acknowledged
Not a practical concern, just a better design
#1 - 0xleastwood
2022-06-02T19:12:30Z
Agree with sponsor, putting this in the warden's QA report instead.