Summary

If user use rebasing tokens (such as AMPL), or tokens with airdrops (such as COMP) either they will lose funds or protocol will lose funds.

Vulnerability Details

Rebasing tokens are allowed to change owners token balance without the need for any action from owner's side. For example AMPL's supply is adjusted in every 24 hours in order to keeping its price close to 1 USD. If AMPL's price rises, then every wallet that holds AMPL will get extra tokens in proportion to their balance. If price falls, tokens are proportionally removed from holder's wallets. Airdrops are also similar, for example in COMP, users can receive extra tokens with airdrop. So there is two possibility for these tokens: the token amount can grow in contract, or can fall.

Let's see how our contracts handle these tokens:

1- Token amount grows in contract:
If token amount grows in contract, they will be stuck in contract because users won't be able to redeem more than what they deposited. Hence users will lose their funds.

2- Token amount drops in contract:
If token amount drops in contract, and there are more than one depositor of mentioned token, user can redeem their deposited collateral amount that is worth more now, hence this way they can actually redeem other users collateral. (For example user1 deposited 100 token, user2 deposited 100 token. Then rebase happens and contracts balance is changes from 200 to 150 which 75 of them belongs to User1, 75 of them belongs to User2. User1 redeem their 100 token and contract is left with only 50 token. User2 lost 25 tokens)

Impact

Users will lose their funds if they use rebasing tokens as collateral. Because users funds will be directly at risk, I consider this as high.

Tools Used

Manual Review

Recommendations

Either suspend rebasing tokens or rather than tracking individual deposits, track shares of the balance for rebasing tokens.