I have seen some unexpected behaviour in the approval function of Honey contract. This is non exploitable and there’s not any security concern at a first glance, just an incovinience for Honey usage.
The HNY contract doesn’t allow to approve two times the same spender without doing a reset between approvals. This behaviour will break the omnibridge UI if you use it more than once. The only solution to send HNY tokens twice through the bridge is to send a manual approve call to the HNY token contract with the router as expender and 0 as value.
This is beacuse how approve HNY funcion is implemented. In the contract there’s one line which is used to avoid approve exploits, but which creates this non standard approval behaviour.
The line is:
// To change the approve amount you first have to reduce the addresses
// allowance to zero by callingapprove(_spender,0)` if it is not
// already 0 to mitigate the race condition described here:
require((_amount == 0) || (allowed[msg.sender][_spender] == 0));
I guess this is expected by the HNY devs but is something which needs to be taken into account in order to develop HNY interfaces like omnibridge one, which can stop working if this is not accounted.