Fee on transfer or deflationary erc20 tokens not taken into account while calculating poolBalance which can lead to loss of funds.
Summary
The balance of the pool (pool.poolBalance) is set without accounting for 'fee on transfer' or deflationary tokens which can lead to wrong balance values causing unintended issues as it is used by many functions for calculations.
Vulnerability Details
setPool(Pool calldata p) -> this function sets the pool (pools[poolId] = p;).
If the erc20 token has a 'fee on transfer' mechanism then the poolBalance will be set wrongly as they are not accounted for.
Same issue in the
addToPool(bytes32 poolId, uint256 amount) function -> this function updates the pool balance using.
_updatePoolBalance(poolId, pools[poolId].poolBalance + amount). which can go wrong with fee on transfer tokens.
Impact
Users can take more debt than pool Balance, which will lead to loss of funds.
borrow(Borrow[] calldata borrows) -> this function checks for balance before lending (if (debt > pool.poolBalance) revert LoanTooLarge();). Since the pool.poolBalance can be larger than the actual balance of erc20 in the pool of the contract, users can take more debt than intended which can drain contract's balance of the token.
Tools Used
Manual review
Recommendations
Either White list specific erc20 tokens for use in the protocol or account for fee on transfer and deflationary tokens during calculation of pool.poolBalance
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.