Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Contracts are vulnerable due to token being fee-on-transfer and would cause accounting-related issues

saaj

Summary

Contracts are vulnerable due to token being fee-on-transfer and would cause accounting-related issues

Vulnerability Details

The functions transfer funds from the caller to the receiver address via transferFrom(), but do not ensure that the actual number of tokens received is the same as the input amount to the transfer.

Impact

If the token is a fee-on-transfer token, the balance after the transfer will be smaller than expected, leading to accounting issues. Even if there are checks later, related to a secondary transfer, an attacker may be able to use latent funds (e.g. mistakenly sent by another user) in order to get a free credit.

Tools Used

Manual code Analysis

Recommendations

One way to solve this problem is to measure the balance before and after the transfer, and use the difference as the amount, rather than the stated amount.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.