First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Fee on transfer tokens may cause problems

aballok

Summary

Fee on token transfers may cause unexpected behaviors

Vulnerability Details

Tokens like STA and PXG are fee on transfer and USDC and USDT may become in the future. This implies the amount that actually is moved into protocol on transfer is less the fee and not the amount input

Impact

  1. For flashloan this will lead to inability to flashloan the market/pool of token as function will always revert if the following in ThunderLoan.sol line 213 fails.

if (endingBalance < startingBalance + fee) {
revert ThunderLoan__NotPaidBack(startingBalance + fee, endingBalance);
}

Above will be true in case fee of protocol < feeOnTransferFee of the token

  1. Minting more asset token than amount passed in giving extra tokens to depositor ThunderLoan.sol lin 150

uint256 mintAmount = (amount * assetToken.EXCHANGE_RATE_PRECISION()) / exchangeRate;

The actual amount in above is less as its amount- feeOnTransferFee

As seen above fee on transfer tokens may causes unexpected behaviours as in the above and many other potential that may not be outlined above or other potential attack vectors so are not ideal unless handled fully with care and their associated risks

Tools Used

Manual Analysis
Wierd ERC20 Tokens => https://github.com/d-xo/weird-erc20

Recommendations

Recommended to exclude these tokens via the whitelist
Recommended to not use amounts in the minting and redemption calculations but use actual balance of tokens moving into and out of protocol
Recommend plausibility and emergency patterns for the protocol

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

fee on transfer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.