Omniscia Tokemak Network Audit

SushiswapControllerV1 Manual Review Findings

SushiswapControllerV1 Manual Review Findings

SCV-01M: Potentially Dangerous Approval Operation

Description:

The safeApprove instruction performed by the deploy function will fail to execute properly in case of a contract upgrade as it internally validates that a zero allowance exists in case of a non-zero allowance update. Additionally, it has been marked as "deprecated" by the OpenZeppelin team.

Example:

contracts/controllers/SushiswapControllerV1.sol
87if (toDeposit) {
88 pair.safeApprove(address(MASTERCHEF), liquidity);
89 depositLPTokensToMasterChef(poolId, liquidity);
90}

Recommendation:

We advise a direct approve instruction to be used instead or a similar paradigm to the _approve function.

Alleviation:

The _approve function was refactored to accept an additional argument and is now safely utilized in the linked code.