Not possible to deploy `Escrow` contract with tokens that charge fee on transfer
Summary
The protocol is not compatible with tokens that charge fee on transfers. There are several ERC-20 tokens that take a small fee on transfer and transferFrom. Most notably, USDT is an ERC-20 token that implements functionality of transfer fees, but for now the fee is set to 0. Attempt to use tokenContract with the address of token that charge fee on transfer results in revert and inability to deploy Escrow contract.
Vulnerability Details
The EscrowFactory contract requires transferring a price amount of tokens to the computedAddress, and subsequently, it creates a new Escrow contract by passing the value of price to its constructor. However, because the token in use imposes fees on transfers, this results in a situation where the quantity of tokens actually received by the Escrow contract is less than the specified price, leading to a revert of the transaction in Escrow constructor:
Impact
It is not possible to deploy Escrow contract with token that charges fee on transfer.
Tools Used
Manual Review
Recommendations
It is recommended to set the value of i_price to the actual balance of token in the contract rather than accepting its value from the constructor parameter:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.