Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Y2K Finance>Medium findings>Incompatibility with USDT token
GeneralOverview
Findings
Critical (1)
High (3)
Medium (5)Incompatibility with USDT tokenConversion does not account for token decimalsMalicious users can profitIncorrect `weights` calculationIncorrect return value in `fetchEpochIds`
Low (4)
Informational (1)
DiscussionVariable naming suggestionDocumentation contains additional parameterThe function `_swapUniswapV2` can be rewrittenLayerZero configurationUse Non-blocking pattern instead of blocking pattern in lzReceiveUse reentrancy guards in deposit and withdraw functions
Threat ModelWhat are threat models?ERC4626.solHookAave.solHookAaveFixYield.solQueueContract.solStrategyVault.solSwapRouter.solbridgeController.solcurve.solswapController.soluniswapV2.soluniswapV3.solvaultController.solzapDest.solzapFrom.sol
Audit ResultsSummary
Category: Business Logic

Incompatibility with USDT token

Medium Severity
Medium Impact
Medium Likelihood

Description

While depositing ERC-20 tokens to the vault, the contract first approves the token to the vault using safeApprove from the solmate library and then calls deposit on the earthquake vault in a try-catch. The code is as follows:

function _depositToVault(
        uint256 id,
        uint256 amount,
        address inputToken,
        address vaultAddress
    ) internal returns (bool) {
        if (inputToken == sgEth) {
            try
                IEarthquake(vaultAddress).depositETH{value: amount}(
                    id,
                    address(this)
                )
            {} catch {
                return false;
            }
        } else {
            ERC20(inputToken).safeApprove(address(vaultAddress), amount);
            try
                IEarthquake(vaultAddress).deposit(id, amount, address(this))
            {} catch {
                return false;
            }
        }
        return true;
    }

If the call to deposit on the earthquake vault fails, it would be caught using the catch statement and the function would simply return false. In this case, the approval would not be decreased as the tokens would not be transferred to the earthquake vault. If this token is USDT, subsequent calls to safeApprove will revert, as USDT's approve function reverts if the current allowance is nonzero.

Impact

USDT deposits to the earthquake vault might fail in case any deposit to the vault fails.

Recommendations

Consider changing the code to the following:

function _depositToVault(
        uint256 id,
        uint256 amount,
        address inputToken,
        address vaultAddress
    ) internal returns (bool) {
        if (inputToken == sgEth) {
            try
                IEarthquake(vaultAddress).depositETH{value: amount}(
                    id,
                    address(this)
                )
            {} catch {
                return false;
            }
        } else {
+           ERC20(inputToken).safeApprove(address(vaultAddress), 0);            
            ERC20(inputToken).safeApprove(address(vaultAddress), amount);
            try
                IEarthquake(vaultAddress).deposit(id, amount, address(this))
            {} catch {
                return false;
            }
        }
        return true;
    }

Remediation

This issue has been acknowledged by Y2K Finance, and a fix was implemented in commit d17e221.

Zellic © 2024Back to top ↑