Minting Asset Tokens Inconsistently with the Input Amount When Dealing with Transfer-On-Fee or Deflationary Tokens
Summary
Vulnerability Details
A transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every transfer() or transferFrom(), such as STA,PAXG.
In the ThunderLoan's deposit function, using the "amount" to calculate the minted amount is not appropriate for deflationary tokens or tokens with transfer fees, as it may result in the received amount being less than the accounted amount. In such cases, it's advisable to use the actual transferred amount in your calculations to ensure accuracy. This accounts for any fees or deflation that may occur during the transfer process, as seen in tokens like STA and PAXG.
Impact
Using an inaccurate calculation for minting the asset token can lead to discrepancies that impact the protocol's operation. It's crucial to ensure accurate accounting for asset token minting to maintain the protocol's integrity.
Tools Used
Recommendations
For deposit function, address this issue with transfer-on-fee or deflationary tokens by obtaining the actual received amount through the calculation of the difference in token balance before and after the transfer. Then, calculate the minting amount based on the actual received amount.
Make sure to also review other functions like 'flashloan' to ensure that these tokens are handled correctly throughout the codebase.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.