Assessment reportsPublic findings
Back to Zellic site
Assessment reports>StakeKit FeeWrapper>Medium findings>The ,approve, function could fail
GeneralOverview
Findings
Medium (3)The transferFrom function could failThe approve function could failRounding errors in computing fee
DiscussionUse of ReentrancyGuard is recommendedNo proxy pattern for upgradesNo test coverage for nonstandard ERC-20 tokens
Threat ModelWhat are threat models?FeeManager.solFeeWrapper4626.sol
Audit ResultsAssessment Results
Category: Business Logic

The approve function could fail

Medium Severity
Medium Impact
Medium Likelihood

Description

In the deposit function of FeeWrapper4626, the result of approve is checked before proceeding with the deposit. For nonstandard ERC-20 tokens, such as USDT, the approve function may not return a success status, which could cause the protocol to malfunction.

Additionally, some nonstandard ERC-20 tokens, including USDT, require a two-step approval process to prevent race conditions with allowances as below:

  1. nonzero -> 0

  2. 0 -> amount

This means a single approve call may not change the allowance.

Impact

This means incompatibility with some nonstandard tokens.

Recommendations

We recommend using OpenZeppelin’s SafeERC20 versions with the safeIncreaseAllowance and safeDecreaseAllowance functions that handle the return-value check, as well as non--standard-compliant tokens.

Remediation

This issue has been acknowledged by StakeKit. The issue was fixed with commit . They now handle nonstandard ERC20 tokens using OpenZeppelin’s SafeERC20 Library.

Zellic © 2024Back to top ↑