40,000 USDC
View results
Submission Details
Severity: medium
Valid

Not possible to deploy `Escrow` contract with tokens that charge fee on transfer

Summary

The protocol is not compatible with tokens that charge fee on transfers. There are several ERC-20 tokens that take a small fee on transfer and transferFrom. Most notably, USDT is an ERC-20 token that implements functionality of transfer fees, but for now the fee is set to 0. Attempt to use tokenContract with the address of token that charge fee on transfer results in revert and inability to deploy Escrow contract.

Vulnerability Details

The EscrowFactory contract requires transferring a price amount of tokens to the computedAddress, and subsequently, it creates a new Escrow contract by passing the value of price to its constructor. However, because the token in use imposes fees on transfers, this results in a situation where the quantity of tokens actually received by the Escrow contract is less than the specified price, leading to a revert of the transaction in Escrow constructor:

if (tokenContract.balanceOf(address(this)) < price) revert Escrow__MustDeployWithTokenBalance();

Impact

It is not possible to deploy Escrow contract with token that charges fee on transfer.

Tools Used

Manual Review

Recommendations

It is recommended to set the value of i_price to the actual balance of token in the contract rather than accepting its value from the constructor parameter:

i_price = tokenContract.balanceOf(address(this));

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.