Skip to content

Latest commit

 

History

History
59 lines (41 loc) · 1.52 KB

110.md

File metadata and controls

59 lines (41 loc) · 1.52 KB

Fast Khaki Raccoon

Medium

Catch mechanism will revert for tokens such as BNB

Summary

Catch mechanism will revert for tokens such as BNB

Root Cause

Upon swapping tokens in TokenRewards (similar thing is also in other places in code), we have the following code:

try
            DEX_ADAPTER.swapV3Single(...)
        {
            ...
        } catch {
            ...
            IERC20(PAIRED_LP_TOKEN).safeDecreaseAllowance(address(DEX_ADAPTER), _amountIn);
            ...
        }

The safeDecreaseAllowance() call will fail if the PAIRED_LP_TOKEN is BNB as upon approving BNB to 0, this causes a revert:

    function approve(address _spender, uint256 _value)
        returns (bool success) {
		if (_value <= 0) throw; 
        allowance[msg.sender][_spender] = _value;
        return true;
    }

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

  1. The swap fails and it is supposed to be caught in the catch block (can fail due to let's say, the slippage provided and can be abused by an attacker by conducting a swap before the call)
  2. Upon decreasing the allowance to 0, this calls approve() with 0 on the BNB token
  3. This results in a revert

Impact

DoS of functionalities as the catch mechanism doesn't work, this can be abused by malicious users by making the swap fail due to the provided slippage and the catch mechanism will then fail.

PoC

No response

Mitigation

Do not approve tokens such as BNB to 0