Skip to content
This repository has been archived by the owner on Mar 10, 2024. It is now read-only.

codegpt - Deprecated safeApprove method #52

Closed
sherlock-admin2 opened this issue Sep 4, 2023 · 1 comment
Closed

codegpt - Deprecated safeApprove method #52

sherlock-admin2 opened this issue Sep 4, 2023 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 4, 2023
edited
Loading

codegpt

medium

Deprecated safeApprove method

Summary

safeApprove() function is deprecated and still being used in the MultiAccount contract.

Vulnerability Detail

safeApprove() function has been deprecated by OpenZeppelin team since v3.1.0:

However, safeApprove() is still used in the following functions in MultiAccount contract:

  • depositForAccount
  • depositAndAllocateForAccount

Impact

Code Snippet

    function depositForAccount(
        address account,
        uint256 amount
    ) external onlyOwner(account, msg.sender) whenNotPaused {
        address collateral = ISymmio(symmioAddress).getCollateral();
        IERC20Upgradeable(collateral).safeTransferFrom(
            msg.sender,
            address(this),
            amount
        );
        IERC20Upgradeable(collateral).safeApprove(symmioAddress, amount);
        ISymmio(symmioAddress).depositFor(account, amount);
        emit DepositForAccount(msg.sender, account, amount);
    }

    function depositAndAllocateForAccount(
        address account,
        uint256 amount
    ) external onlyOwner(account, msg.sender) whenNotPaused {
        address collateral = ISymmio(symmioAddress).getCollateral();
        IERC20Upgradeable(collateral).safeTransferFrom(
            msg.sender,
            address(this),
            amount
        );
        IERC20Upgradeable(collateral).safeApprove(symmioAddress, amount);
        ISymmio(symmioAddress).depositFor(account, amount);
        bytes memory _callData = abi.encodeWithSignature(
            "allocate(uint256)",
            amount
        );
        innerCall(account, _callData);
        emit AllocateForAccount(msg.sender, account, amount);
        emit DepositForAccount(msg.sender, account, amount);
    }

https://github.com/sherlock-audit/2023-08-symmetrical/blob/main/symmio-core/contracts/multiAccount/MultiAccount.sol#L142C1-L176C6

Tool used

Manual Review

Recommendation

Recommend using safeIncreaseAllowance() and safeDecreaseAllowance() function instead.
@github-actions github-actions bot closed this as completed Sep 5, 2023
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Sep 5, 2023
@sherlock-admin
Copy link
Contributor

2 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, because no funds loss and is just best practice advice which is invalid by sherlock rules

0xyPhilic commented:

invalid because it can be considered informational

@sherlock-admin2 sherlock-admin2 changed the title Docile Carrot Owl - Deprecated safeApprove method codegpt - Deprecated safeApprove method Sep 18, 2023
@sherlock-admin2 sherlock-admin2 added the Non-Reward This issue will not receive a payout label Sep 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2