Improper ERC20 Approval Handling in processSwapFee Leading to Denial of Service (DoS)

[smartsmartsec]

Location

https://github.com/code-423n4/2025-05-upside/blob/main/contracts/UpsideProtocol.sol#L227

Problem and Impact

The processSwapFee function in the affected contract fails to handle token approvals correctly when distributing fees to stakers. The function directly calls approve with a new non-zero value (feeToStakers) without first resetting the approval to zero, which can cause the transaction to revert if the token contract enforces a strict approval change policy (e.g., requiring zero approval before setting a new non-zero value). This vulnerability can lead to denial of service (DoS) by preventing fee distributions and disrupting contract operations.

Recommendation

Modify the processSwapFee function to safely handle token approvals by:

1. First resetting the approval to zero before setting a new non-zero value.
2. Using the safeApprove pattern (if available) or implementing a two-step approval process