Summary

Fee on transfer tokens can cause mismatches between tokens received and token amounts recorded.

Vulnerability Details

With FoT tokens, whenever a user tries to transfer tokens into the protocol the actual amount received will not match the amount variable input as a function argument. i.e. A lender calls addToPool(poolId, amount = 100) but the token takes a fee of 1 for every transfer resulting in the protocol receiving 99 tokens but recording an increase to the pool of 100.
Over time this mismatch between user balances and actual tokens in the protocol will grow and can result in the final users attempting to withdraw their tokens but there not being any left.

Impact

Accounting balances will not match actual amounts of tokens the protocol holds which can result in their not being enough tokens for later users to withdraw.

Tools Used

Manual Review

Recommendations

Either restrict FoT tokens from the protocol or check balances before/after transfers into the protocol and use the actual amount of tokens received when updating accounting variables.