You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All swap calls to any target address can be easily DOS'ed
Summary
The execute function calls safeApprove on the token contract to approve amountIN of tokenIn to the target contract. This is done because after this, the target contract which is expected to be a DEX will be called with txData to swap these tokenIN to tokenOut.
But the problem is that the safeApprove() logic reverts if the spender (ie. target) already has a non-zero allowance for the tokenIN.
This can be used to easily DOS swaps for any and all tokens by putting in one exact output swap in the orders and filling it.
Such an exact output order will leave some amount of approval (even 1 wei will work)
Thereafter, whenever someones fills an order, the logic will reach execute()=> where safeApprove() will revert due to an existing non-zero approval.
safeapprove is done for amountIN but the whole execute flow does not reset the approval to zero after the operation, possibly resulting in a non zero approval pending
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Permanent DOS for all swaps of all tokens is possible, by an attacker leaving out tiny approvals for target DEXes
PoC
No response
Mitigation
No response
The text was updated successfully, but these errors were encountered:
Mean Malachite Frog
High
All swap calls to any target address can be easily DOS'ed
Summary
The execute function calls safeApprove on the token contract to approve amountIN of tokenIn to the
targetcontract. This is done because after this, thetargetcontract which is expected to be a DEX will be called with txData to swap these tokenIN to tokenOut.But the problem is that the safeApprove() logic reverts if the spender (ie.
target) already has a non-zero allowance for the tokenIN.This can be used to easily DOS swaps for any and all tokens by putting in one exact output swap in the orders and filling it.
Such an exact output order will leave some amount of approval (even 1 wei will work)
Thereafter, whenever someones fills an order, the logic will reach execute()=> where safeApprove() will revert due to an existing non-zero approval.
https://github.com/sherlock-audit/2024-11-oku/blob/main/oku-custom-order-types/contracts/interfaces/openzeppelin/SafeERC20.sol#L45-L54
This is imported in Bracket.sol where :
https://github.com/sherlock-audit/2024-11-oku/blob/ee3f781a73d65e33fb452c9a44eb1337c5cfdbd6/oku-custom-order-types/contracts/automatedTrigger/Bracket.sol#L539
safeapprove is done for amountIN but the whole execute flow does not reset the approval to zero after the operation, possibly resulting in a non zero approval pending
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Permanent DOS for all swaps of all tokens is possible, by an attacker leaving out tiny approvals for target DEXes
PoC
No response
Mitigation
No response
The text was updated successfully, but these errors were encountered: