Tomo - 【Tomo-M#2】create safe version ERC20-approve function

[github-actions]

Tomo

medium

【Tomo-M#2】create safe version ERC20-approve function

Summary

You should create a safe version of the ERC20 approve function like safeTransfer and safeTransferFrom.

Vulnerability Detail

The Pool contract has safeTransfer and safeTransferFrom functions to prevent some attack vectors. However, there is no safe version of the ERC20-approve function.

Therefore it happens "Multiple Withdrawal Attack"

Impact

It happens Multiple Withdrawal Attack

Code Snippet

/// @notice Approves an address to spend pool tokens on behalf of the sender
/// @param spender The address of the spender
/// @param amount The amount of pool tokens to approve
/// @return bool that indicates if the operation was successful
function approve(address spender, uint amount) external returns (bool) {
    allowance[msg.sender][spender] = amount;
    emit Approval(msg.sender, spender, amount);
    return true;
}

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L295-L303

Tool used

Manual Review

Recommendation

Add safeIncreaseAllowance and safeDecreaseAllowance refer to SafeERC20 by OpenZeppelin

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/utils/SafeERC20.sol#L56-L75

Similar Issue

code-423n4/2022-04-backd-findings#180

Duplicate of #154