# Ignoring Return Values from ERC20 approve() Function: Potential Miscount of Successful Approvals {% hint style="info" %} [**Book an audit with Zokyo**](https://www.zokyo.io/) {% endhint %} A recurring issue found in many smart contracts involves neglecting to check the return value of the ERC20 `approve()` function. As per the ERC20 standard, the `approve()` function should return a boolean indicating the success or failure of the approval operation. However, some smart contracts make the assumption that the function will always succeed, without actually verifying the returned value. This oversight can have significant implications, especially with tokens that do not revert the transaction when an approval fails, but rather return `false`. In such cases, these failed approval operations are incorrectly counted as successful approvals, which can result in incorrect token balances and mislead the contract's logic. Here is a typical example of a smart contract not checking the `approve()` return value: ``` function approveUnderlying() public { // approval operation without checking the return value ERC20(token).approve(address(pool), amount); } ``` The recommended way to mitigate this issue is to utilize the `safeApprove()` function from OpenZeppelin's `SafeERC20` contract. This function, unlike the standard `approve()`, checks the return value and reverts the transaction if the approval operation fails, ensuring that only successful approvals are counted. The corrected code snippet would look something like this: ``` import "@openzeppelin/contracts/token/ERC20/SafeERC20.sol"; using SafeERC20 for IERC20; function approveUnderlying() public { // safe approval operation, checking the return value IERC20(token).safeApprove(address(pool), amount); } ``` By correctly handling the return value of the `approve()` function, developers can avoid any potential mishaps arising from incorrect assumption of successful approvals, thereby strengthening the integrity and reliability of their smart contracts. Real bug bounty examples: * [\[M-04\] ERC20 missing return value check](https://github.com/code-423n4/2021-08-notional-findings/issues/67) * [\[L-01\] Not handling approve return value](https://github.com/code-423n4/2021-09-defiprotocol-findings/issues/73) * [\[M-06\] ERC20 missing return value check](https://github.com/code-423n4/2021-08-notional-findings/issues/77) This vulnerability is generally classed as medium risk. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorials/tutorial-3-approvals-and-safe-approvals/vulnerability-examples/ignoring-return-values-from-erc20-approve-function-potential-miscount-of-successful-approvals.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.