Upgradeable Tokens
Summary
Upgradeable tokens may cause unexpected behaviors
Vulnerability Details
Tokens like USDC and USDT are upgradeable. This implies tokens can introduce features that can cause vulnerabilities or unexpected behaviours into the protocol
Impact
They may introduce changes like hooks callbacks opening up reentrancy, may retain blocklist and or pausable features, may introduce fee on transfer which implies the vulnerability of wrong accounting amounts moving into protocol as indicated in fee on transfer vulnerability, may introduce different address proxy and implementation, may not follow ERC20 standard, may become rebasing tokens or any number of unknowns that may cause problems, hinder working of protocol or open up attack vectors. The links attached are all the parts involving transfer of underlying token where problems many arise eg if they become fee on transfer amounts in are less than input amount in.
Tools Used
Manual Analysis
Weird ERC20 Tokens => https://github.com/d-xo/weird-erc20
Recommendations
Recommended to exclude these tokens via the whitelist
Recommend plausibility and emergency patterns for the protocol to react to their upgrades etc
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.