Comments (14)
VagnerAndrei26
commented on July 29, 2024
3
Escalate
I'm escalating this to be looked on
I understand there seem to be some conflict within the contest details, but ultimately I think this is definitely an issue worth bringing up given notional is definitely interested in setting USDT as a lendToken in such vaults and not allowing such approvals would be affecting potential functionality and even potential profits since deposits from notional will be bricked.
Which ERC20 tokens do you expect will interact with the smart contracts?
any
I think in this case we should consider any ERC20 tokens beside the ones with non-standard behavior, since the README specifies no tokens with non-standard behavior should be considered for this audit.
from 2023-10-notional-judging.
Czar102
commented on July 29, 2024
2
I agree, this is not a valid issue. If "any" ERC20 token is allowed, there could me a token that reverts on all interactions so we couldn't use it anyway. As said in Sherlock docs, the weird trait needs to be explicitly mentioned in the README so that its existence implying a loss of funds would be valid.
This issue may provide value to the team, but is not a valid finding in Sherlock. Planning to accept the escalation and make this issue invalid.
from 2023-10-notional-judging.
nevillehuang
commented on July 29, 2024
1
@Czar102 agree with your reasoning, would take that into consideration in future judging decisions. My suggestion is to include the weird erc-20 github repo link for further clarification within the question for further clarification, which I believe will benefit all judges, watsons and sponsors.
from 2023-10-notional-judging.
jeffywu
commented on July 29, 2024
Acknowledged
from 2023-10-notional-judging.
jeffywu
commented on July 29, 2024
notional-finance/leveraged-vaults#64
from 2023-10-notional-judging.
gstoyanovbg
commented on July 29, 2024
Sherlock's rules:
- Non-Standard tokens: Issues related to tokens with non-standard behaviors, such as weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README.
Weird-erc20:
Some tokens (e.g. USDT, KNC) do not allow approving an amount M > 0 when an existing amount N > 0 is already approved. This is to protect from an ERC20 attack vector described here.
README:
Q: Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
No
@nevillehuang From my perspective this issue should be invalid because USDT is not explicitly mentioned in the README. Do i miss something ?
from 2023-10-notional-judging.
nevillehuang
commented on July 29, 2024
I understand there seem to be some conflict within the contest details, but ultimately I think this is definitely an issue worth bringing up given notional is definitely interested in setting USDT as a lendToken in such vaults and not allowing such approvals would be affecting potential functionality and even potential profits since deposits from notional will be bricked.
Which ERC20 tokens do you expect will interact with the smart contracts?
any
from 2023-10-notional-judging.
0xRizwan
commented on July 29, 2024
I agree with @gstoyanovbg comment.
approve to zero in case of USDT is the non-standard behavior and it is not explicitly mentioned in readme.md.
My understanding is, this particular question in readme is used to handle such non-standard token issue and in this case its none. If it was USDT/USDC instead of No then i think the issue could be considered as valid per sherlock rules.
Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
No
Also, i think below sherlock rule is referencing to this question,
Sherlock's rules:
Non-Standard tokens: Issues related to tokens with non-standard behaviors, such as weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README.
from 2023-10-notional-judging.
sherlock-admin2
commented on July 29, 2024
Escalate
I'm escalating this to be looked onI understand there seem to be some conflict within the contest details, but ultimately I think this is definitely an issue worth bringing up given notional is definitely interested in setting USDT as a lendToken in such vaults and not allowing such approvals would be affecting potential functionality and even potential profits since deposits from notional will be bricked.
Which ERC20 tokens do you expect will interact with the smart contracts?
any
I think in this case we should consider any ERC20 tokens beside the ones with non-standard behavior, since the README specifies no tokens with non-standard behavior should be considered for this audit.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
from 2023-10-notional-judging.
jaraxxus775
commented on July 29, 2024
- Protocol states that any ERC20 token will be interacted with, so all kinds of ERC20 issues should be accounted for. It will only be a non-issue if the protocol specifically has checks to make sure that the ERC20 cannot be used, eg if only 6-18 decimals should be used, then there must be a check in the function. Likewise, if revert on zero value transfer tokens should not be used, then protocol must make sure that function only transfers > 0 amount. If protocol does not have any specific checks for ERC20 tokens, then it is an issue.
Which ERC20 tokens do you expect will interact with the smart contracts?
any
-
(USDT)'s approve() function will revert if the current approval is not zero, to protect against front-running changes of approvals. USDT cannot be used at all, which breaks protocol functionality. USDT is not a random token, it has a pretty huge TVL and is used in most lending protocols. AAVE sees 200m USDT locked in the lending market.
-
Sponsor found value in the issue.
-
Historically, approve to zero has always been awarded Medium difficulty (DODO-06-2023), (Derby-01-2023)
Thanks.
from 2023-10-notional-judging.
Czar102
commented on July 29, 2024
Hi @jaraxxus775, please check the Sherlock rule mentioned in @gstoyanovbg's comment.
It is clear that they want to work with any non-weird token. Since this approval revert is considered a weird trait, this finding should be invalid.
from 2023-10-notional-judging.
Czar102
commented on July 29, 2024
Result:
Invalid
Has duplicates
from 2023-10-notional-judging.
sherlock-admin2
commented on July 29, 2024
Escalations have been resolved successfully!
Escalation status:
- VagnerAndrei26: accepted
from 2023-10-notional-judging.
xiaoming9090
commented on July 29, 2024
Fixed in PR 64
from 2023-10-notional-judging.
Related Issues (20)
- bareli - Divide by zero error
- jah - a user can steal another person approved tokens HOT 1
- Jaraxxus - oracleSlippagePercentOrLimit for static trades is not checked, can be set to arbitrary value
- 0xMaroutis - No expiration deadline for trades can lead to loss of funds
- bareli - Lack of Access Control:
- Jaraxxus - UUPSUpgradeable is not initialized HOT 1
- shealtielanz - If the lend token is eth, redeemfCash will most likely revert HOT 1
- shealtielanz - An attacker can brick redemption from notional and settlements in crossCurrency vault HOT 1
- Tri-pathi - Weighted pool spot price calculation is incorrect HOT 15
- lemonmon - Spot prices calculated inside `BalancerComposableAuraVault` may not be in line with spot prices from Balancer pools due to rounding differences.
- 0xMaroutis - Hardcoded chainId Restricts Smart Contract Deployment to Arbitrum Only
- jah - wrong logic when swaping a token HOT 1
- Shubham - Hardcoding `block.timestamp` should not be used as deadline HOT 1
- ddimitrov22 - Using `block.timestamp` for swap deadline offers no protection
- ge6a - restoreVault() lacks grace period HOT 13
- 0xMaroutis - Absence sequencer status check in `_getOraclePairPrice`
- Tri-pathi - Invariant should be round down instead of round up
- shealtielanz - Unlimited slippage during `emergencyExit()` HOT 18
- lemonmon - Due to multiple issues the reinvestor may be able to steal funds from the vault.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2023-10-notional-judging.