Incompatability with deflationary / fee-on-transfer tokens.
Summary - Vulnerability Details
The Lending and Stacking contracts works with all types of ERC20 tokens and some of them can be fee-on-transfer tokens which deducts tokens for fee. It means these contract will receive less tokens than mentioned by users in the parameters.
All of the locations mentioned in the given links, update the contract balances for different tokens based on user provided amount parameter, which can be vulnerable because it is possible that contract will receive less tokens than mentioned by users.
Consider the scenario
-
Token X is fee-on-transfer and it took 10% for each transfer. Alice has 1000 token X and Bob has 2000 token X
-
Both create pools and transfers all tokens to Lending contract. It recorded that the amount stored for token X of Alice is 1000 and Bob is 2000. But since token X has 10% fee, contract only receives 2700 token X.
-
Now Bob removed his funds (2000) from the pool. Because pool recorded 2000 his funds, he can remove 2000 token X.
-
Now the contract only has 700 token X left and obviously it's unable for Alice to withdraw
Tools Used
Manual Review, Solodit
Recommendations
Check the balance of the contracts before and after transfer, compare them differnce with the amount mentioned by users if the amount is less than mentioned then contracts can revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.