Fee-on transfer tokens in FeeBurner.burnToTarget
will revert transaction
#133
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/FeeBurner.sol#L70
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts.
One type of these tokens is deflationary tokens that charge a certain fee for every
transfer()
ortransferFrom()
.Proof of Concept
The
FeeBurner.burnToTarget
function will try to swap more of an ERC20 token than the contract actually received and due to transfering the token into theSwapperRouter
contract, the token balance is insufficient and the transfer will revert.tokenomics/FeeBurner.sol#L70
Tools Used
Manual review
Recommended mitigation steps
As other contracts (e.g.
AmmGauge.stakeFor
) already handle fee-on transfer tokens correctly, make sure alsoFeeBurner.burnToTarget
does so.Compare the token balance before the transfer and after the transfer and use the delta as the actual swap amount to prevent the
FeeBurner.burnToTarget
function reverting for fee-on transfer tokens:The text was updated successfully, but these errors were encountered: