Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fee on transfer tokens do not work within the protocol #78

Open
code423n4 opened this issue Oct 10, 2021 · 1 comment
Open

Fee on transfer tokens do not work within the protocol #78

code423n4 opened this issue Oct 10, 2021 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Handle

tensors

Vulnerability details

Fee on transfer tokens transfer less tokens in than what would be expect.
This means that the protocol request incorrect amounts when dealing with these tokens.

https://github.com/code-423n4/2021-10-defiprotocol/blob/7ca848f2779e2e64ed0b4756c02f0137ecd73e50/contracts/contracts/Basket.sol#L256

The protocol should use stored token balances instead of transfer for calculating amounts.

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding labels Oct 10, 2021
code423n4 added a commit that referenced this issue Oct 10, 2021
@frank-beard frank-beard added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Oct 19, 2021
@GalloDaSballo
Copy link
Collaborator

I agree with the finding and the severity.
Given a feeOnTransferToken, the accounting of the protocol will break.

because this is dependent on an external condition (using feeOnTransferToken) this is a medium severity finding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Development

No branches or pull requests

3 participants