😴Ignoring Return Values from ERC20 approve() Function: Potential Miscount of Successful Approvals
A recurring issue found in many smart contracts involves neglecting to check the return value of the ERC20 approve()
function. As per the ERC20 standard, the approve()
function should return a boolean indicating the success or failure of the approval operation. However, some smart contracts make the assumption that the function will always succeed, without actually verifying the returned value.
This oversight can have significant implications, especially with tokens that do not revert the transaction when an approval fails, but rather return false
. In such cases, these failed approval operations are incorrectly counted as successful approvals, which can result in incorrect token balances and mislead the contract's logic.
Here is a typical example of a smart contract not checking the approve()
return value:
The recommended way to mitigate this issue is to utilize the safeApprove()
function from OpenZeppelin's SafeERC20
contract. This function, unlike the standard approve()
, checks the return value and reverts the transaction if the approval operation fails, ensuring that only successful approvals are counted.
The corrected code snippet would look something like this:
By correctly handling the return value of the approve()
function, developers can avoid any potential mishaps arising from incorrect assumption of successful approvals, thereby strengthening the integrity and reliability of their smart contracts.
Real bug bounty examples:
This vulnerability is generally classed as medium risk.
Last updated