ERC-20 approve function reverts on nonstandard token
Description
As explained in Finding ref↗, the function _migrate
is called in order to update user balance and approve the migrator contract to transfer the user's token. For ERC20 tokens, the approve
function must return a bool
value. If not, the contract call to approve
reverts. Thus, the migration may not work for non-ERC20 tokens like USDT.
Impact
According to the documentation↗, a user should be able to restake USDT. However, USDT does not adhere to the ERC20 token standard. The USDT approve
function does not return anything. Since the contract is expecting a boolean value but, for USDT, does not get anything, then the contract reverts, preventing the user from migrating their USDT. However, no funds would be locked, and the users can withdraw their funds whenever they want.
Recommendations
The contract should use the function forceApprove
from SafeERC20↗, which was created specially to handle those cases of ERC20 and nonstandard tokens.
Remediation
This bug was reported by Level during the preaudit phase. Level will disable the migrate functionality and ask users to withdraw USDT and convert them to lvlUSD tokens by other means.