Being allowed to use any ERC20 is dangerous and will certainly lead to unexpected/unintended consequences
Summary
The lack of accounting for rebasing and fee-on-transfer tokens leads to potential vulnerabilities in the protocol’s functionality. These vulnerabilities arise from inaccurate token balances, incorrect calculations, and improper handling of token transfers, significantly affecting the contracts' integrity and causing financial risks to users.
Vulnerability Details
When using a rebasing token as the loan or collateral asset, the balances of the pools and loan sizes would need to be adjusted to account for the token's supply changes. Since rebasing tokens adjust their total supply, the pool balance and the maximum loan size expressed in terms of token amounts might fluctuate after each rebase. This could potentially affect the feasibility of loans and refinancing terms. This problem further affects interest rate calculation, fees calculation etc.
If fee-on-transfer tokens are deposited in the pool the protocol won’t account for the fees, which will generate an incorrect balance of the pool, will make the loan and collateral mismatch. Any transfer of funds will cause some loss of funds that wasn’t expected by the protocol or users.
Impact
Unexpected/unintended consequences and functionality that can cause loss of funds for the users and loss of revenue for the protocol.
Tools Used
Manual review
Recommendations
Please consider limiting the tokens that can be used within the protocol to only a curated list of tokens ,tried and tested, that don’t generate weird/unintended functionality.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.