Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium

Mismanagement of Fee-on-transfer and Rebasing Tokens in Distributor Smart Contract

aviggiano

Summary

The current implementation of Distributor._distribute does not properly handle fee-on-transfer or rebasing tokens, which could lead to inaccurate recording of amounts transferred and potential loss of tokens for the users.

Vulnerability Details

In Distributor.sol:147, the protocol fails to manage ERC20 tokens that either take a fee on transfer or may do so in the future.

These include tokens like PAXG or USDT (fee-on-transfer) or contracts like USDC, which can be upgraded to include such functionality.

In the current implementation, the amount of tokens received after transfer may be less than the specified amount due to the fee, leading to discrepancies, loss of tokens, and potential protocol failures.

Since the check for total percentages is performed before the safeTransfer, it does not guarantee that the amounts transferred will actually be correct.

// @audit-issue Percentages check will not work for fee-on-transfer or rebasing tokens
uint256 totalPercentage;
for (uint256 i; i < percentagesLength;) {
totalPercentage += percentages[i];
unchecked {
++i;
}
}
// check if totalPercentage is correct
if (totalPercentage != (10000 - COMMISSION_FEE)) {
revert Distributor__MismatchedPercentages();
}
// ...
IERC20 erc20 = IERC20(token);
uint256 totalAmount = erc20.balanceOf(address(this));
if (totalAmount == 0) revert Distributor__NoTokenToDistribute();
uint256 winnersLength = winners.length;
for (uint256 i; i < winnersLength; ) {
uint256 amount = (totalAmount * percentages[i]) / BASIS_POINTS;
// @audit-issue Percentages check will not work for fee-on-transfer or rebasing tokens
erc20.safeTransfer(winners[i], amount);
unchecked { ++i; }
}
_commissionTransfer(erc20);
emit Distributed(token, winners, percentages, data);

The issue has been tagged as M-01 FEE_ON_TRANSFER.

Impact

The use of fee-on-transfer or rebasing tokens in the current implementation of the protocol can cause incorrect account balances in the system leading to loss or funds or Denial of Service due to improper accounting of the token values.

Tools Used

Manual Review

Recommendations

It is recommended to properly handle fee-on-transfer tokens and rebasing tokens by updating the accounting mechanism to calculate the amount before and after the transfer. If this is not feasible, the protocol documentation should explicitly state that these types of tokens are unsupported.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.