Platform: Code4rena
Start Date: 16/11/2021
Pot Size: $30,000 USDC
Total HM: 3
Participants: 18
Period: 3 days
Judge: leastwood
Total Solo HM: 2
Id: 56
League: ETH
Rank: 9/18
Findings: 1
Award: $338.18
🌟 Selected for report: 1
🚀 Solo Findings: 0
338.1819 USDC - $338.18
jonah1005
The Alchemist.sol does not use safeApprove.
/// @dev sends tokens to the transmuter /// /// benefit of great nation of transmuter function _distributeToTransmuter(uint256 amount) internal { token.approve(transmuter, amount); ITransmuter(transmuter).distribute(address(this), amount); // lower debt cause of 'burn' xtoken.lowerHasMinted(amount); }
This would not work if the token contract is USDT.
USDT only allows users to change the allowance from zero.
USDT does not return any value in the approve function.
I consider this is a medium-risk issue.
None
token.safeApprove(transmuter, 0); token.safeApprove(transmuter, amount);
#0 - Xuefeng-Zhu
2021-11-29T08:33:03Z
We will not use USDT
#1 - loudoguno
2021-12-07T00:48:21Z
@Xuefeng-Zhu, can you clarify whether you disputed or acknowledged this submission?
#2 - Xuefeng-Zhu
2021-12-08T08:39:13Z
sorry for the confusion, it is dispute
#3 - 0xleastwood
2021-12-21T03:27:32Z
While it is true that USDT may not be intended to be used. There are many non-standard implementations of tokens that will require this same logic. Hence, I think this can be kept open as a valid issue.