Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

UnripeFacet don't support fee-on-transfer tokens or rebase tokens

pks271

Summary

UnripeFacet contract don't support fee-on-transfer tokens or rebase tokens will cause incorrect internal unripeToken account.

Vulnerability Details

Function UnripeFacet#addMigratedUnderlying only support standard ERC20 token, but don't support fee-on-transfer token or rebase tokens. When s.u[unripeToken].underlyingToken is fee-on-transfer or rebasing tokens like PAXG or stETH, it will account incorrectly, because it increment underlying balance by incrementUnderlying function with same underlyingToken amount.

function addMigratedUnderlying(
address unripeToken,
uint256 amount
) external payable nonReentrant {
LibDiamond.enforceIsContractOwner();
IERC20(s.u[unripeToken].underlyingToken).safeTransferFrom(
msg.sender,
address(this),
amount
);
LibUnripe.incrementUnderlying(unripeToken, amount);
}

For example, if unripeToken is PAXG and amount is 100 ether, the contract shouldn't increment unripeToken balance by 100 ether because it doesn't subtract related fee.

Impact

Cause incorrect internal unripeToken account when underlying token is fee-on-transfer or rebasing tokens.

Tools Used

vscode, Manual Review

Recommendations

Calculate the underlying token amounts by before and after amount delta.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Fee-on-transfer/rebase tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.