`depositCollateral()`, `redeemCollateral()` do not work with fee-on-transfer tokens
Summary
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens charge a certain fee for every transfer() or transferFrom(). Example: XRP token.
Vulnerability Details
The depositCollateral() and _redeemCollateral() functions transfer amountCollateral using something like IERC20(tokenCollateralAddress).transferFrom(msg.sender, address(this), amountCollateral);.
This could have a fee, and less than amountCollateral ends up in the contract. The getAccountCollateralValue() then calculates a USD value greater than the actual collateral value inside the contract due to uint256 amount = s_collateralDeposited[user][token];.
This also causes loss to the protocol while redemption by the user.
NOTE: Other tokens, apart from WETH and WBTC are being considered here in line with Patrick's comment on Discord: "Let's do any token that has a chainlink price feed".
Impact
Since XRP/USD is available in Chainlink price feed and hence supported by the protocol, this token (and any other similar ones) would brick the protocol.
Tools Used
Manual review
Recommendations
One possible mitigation is to measure the asset change right before and after the asset-transferring routines.
You can also limit the list to whitelisted tokens only and exclude such "exotic" tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.