The Standard

The Standard
DeFiHardhat
20,000 USDC
View results
Submission Details
Severity: medium
Invalid

Fee-on-transfer token inflates vault collateral

Summary

A fee-on-transfer token would cause the vault collateral calculation to be incorrect,
overvaluing the amount that the protocol could redeem the tokens as transfer fees are not accounted.

None of the listed Arbitum tokens currently charge a fee on transfer, but they are all upgradable contracts.
On the Ethereum mainnet the PAXG token is fee-on-transfer, but the fee rate is currently zero, but can be changed.

Vulnerability Details

From the repo readme

Compatibilities:
Blockchains:
- Any EVM chains with live Chainlink data feeds and live Uniswap pools
Tokens:
- ETH

discussion in The Standard discord channel

dimulski — 01/02/2024 11:58 PM
hey, one more question regarding this, is the protocol going to be deployed on polygon, arbitrum and ethereum or
ewan — 01/03/2024 12:02 AM
no plans to do so any time soon, but it is possible

It seems reasonable to assume that compatability with Ethereum mainnet is in scope.

PAXG Arbitum One

On Arbiutm One PAXG is a 'normal' ArbERC20 token, importantly it is not a fee-on-transfer token,
nor does it support it without performing a contract upgrade.

PAXG Ethereum Mainnet

On Ethereum mainnet PAXG is a 'weird' ERC20 token, specifically it supports being fee-on-transfer token, currently with a fee rate zero on each transfer,
where the contract owner can easily change.

Swap

The minimum amount calculated by SmartVaultV3::calculateMinimumAmountOut() does not account for the asset being a
fee-on-transfer token, where the returned value will be lower (by the transfer fee amount) than it needs to be.

Liquidation

During the liquidation there are at least two ERC20 transfers by the protocol:

  1. SmartVaultV3:liquidate() to the LiquidationPoolManager

  2. LiquidationPoolManager::forwardRemainingRewards()

With a fee on each transfer, the holding of the token with be two bites of fee lower than the valuation in the vault before liquidation.

Impact

Collateral calculations of fee-on-transfer ERC20s will be greater than the value the protocol could redeem on liquidation.

Tools Used

Manual review

Recommendations

As whitelist is already implemented with ITokenManager.getAcceptedTokens() either:

  1. Implement a strict no fee-on-transfer token policy, with regular review of accepted token to ensure they've no been upgraded or had their fees set to above zero

  2. Add a flag to ITokenManager.Token for whether the ERC20 is a fee-on-transfer, include a fee lookup for the swap and liquidation flows.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

fee-on-transfer

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

fee-on-transfer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.