The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Fee-on-transfer token inflates vault collateral

0xBinChook

Summary

A fee-on-transfer token would cause the vault collateral calculation to be incorrect,
overvaluing the amount that the protocol could redeem the tokens as transfer fees are not accounted.

None of the listed Arbitum tokens currently charge a fee on transfer, but they are all upgradable contracts.
On the Ethereum mainnet the PAXG token is fee-on-transfer, but the fee rate is currently zero, but can be changed.

Vulnerability Details

From the repo readme

Compatibilities:

Blockchains:

- Any EVM chains with live Chainlink data feeds and live Uniswap pools

Tokens:

- ETH

discussion in The Standard discord channel

dimulski — 01/02/2024 11:58 PM

hey, one more question regarding this, is the protocol going to be deployed on polygon, arbitrum and ethereum or

ewan — 01/03/2024 12:02 AM

no plans to do so any time soon, but it is possible

It seems reasonable to assume that compatability with Ethereum mainnet is in scope.

PAXG Arbitum One

On Arbiutm One PAXG is a 'normal' ArbERC20 token, importantly it is not a fee-on-transfer token,
nor does it support it without performing a contract upgrade.

PAXG Ethereum Mainnet

On Ethereum mainnet PAXG is a 'weird' ERC20 token, specifically it supports being fee-on-transfer token, currently with a fee rate zero on each transfer,
where the contract owner can easily change.

Swap

The minimum amount calculated by SmartVaultV3::calculateMinimumAmountOut() does not account for the asset being a
fee-on-transfer token, where the returned value will be lower (by the transfer fee amount) than it needs to be.

Liquidation

During the liquidation there are at least two ERC20 transfers by the protocol:

SmartVaultV3:liquidate() to the LiquidationPoolManager
LiquidationPoolManager::forwardRemainingRewards()

With a fee on each transfer, the holding of the token with be two bites of fee lower than the valuation in the vault before liquidation.

Impact

Collateral calculations of fee-on-transfer ERC20s will be greater than the value the protocol could redeem on liquidation.

Tools Used

Manual review

Recommendations

As whitelist is already implemented with ITokenManager.getAcceptedTokens() either:

Implement a strict no fee-on-transfer token policy, with regular review of accepted token to ensure they've no been upgraded or had their fees set to above zero
Add a flag to ITokenManager.Token for whether the ERC20 is a fee-on-transfer, include a fee lookup for the swap and liquidation flows.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

fee-on-transfer

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

fee-on-transfer

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.