DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Contracts are vulnerable to fee-on-transfer token related accounting issues

hunter_w3b

Summary

The deposit function allows the transfer of tokens without measuring the balance before and after the transfer. This can potentially lead to issues when dealing with tokens that have a fee-on-transfer mechanic, as the contract has no way to ensure that the correct amount of tokens is transferred. In cases where the contract holds latent funds, subsequent transfers may succeed, which can result in unexpected behavior.

Vulnerability Details

The deposit function is designed to transfer tokens from the from address to the contract address. However, it does not verify or measure the balance of the contract's token holdings before and after the transfer. This lack of verification can be problematic, especially when interacting with tokens that implement a fee-on-transfer mechanism.

function deposit(address from, uint256 amount)
external
onlyDiamond
returns (uint256)
{
// Transfer stETH to this bridge contract
// @dev stETH uses OZ ERC-20, don't need to check success bool
steth.transferFrom(from, address(this), amount);
return amount;
}

Impact

The contract may not accurately reflect the token balances it holds, which can lead to discrepancies between expected and actual token holdings.

Tools Used

Manual Review

Recommendations

Implement balance verification before and after token transfers to ensure accurate accounting.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.