Submission Details
Severity:
Fee on transfer tokens can lead to incorrect approval
Summary
The addUnderlying function does not account for tokens with fee on transfer.
Vulnerability Details
The function addUnderlying may not transfer exactly barnRaiseToken amount of tokens, for tokens with a fee on transfer. This means that the approve call in the next line would be approving more tokens than what was received, leading to accounting issues.
function addUnderlying(uint256 tokenAmountIn, uint256 usdAmount, uint256 minAmountOut) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
// Calculate how many new Deposited Beans will be minted
uint256 percentToFill = usdAmount.mul(C.precision()).div(
remainingRecapitalization()
);
//...
C.bean().mint(
address(this),
newDepositedLPBeans
);
@>> IERC20(barnRaiseToken).transferFrom(
msg.sender,
address(this),
uint256(tokenAmountIn)
);
@>> IERC20(barnRaiseToken).approve(barnRaiseWell, uint256(tokenAmountIn));
@>> C.bean().approve(barnRaiseWell, newDepositedLPBeans);
//..
// Increment underlying balances of Unripe Tokens
LibUnripe.incrementUnderlying(C.UNRIPE_BEAN, newDepositedBeans);
LibUnripe.incrementUnderlying(C.UNRIPE_LP, newLP);
s.recapitalized = s.recapitalized.add(usdAmount);
}
Tools Used
Manual Review
Recommendations
It is recommended to find the balance of the current contract before and after the transferFrom to see how much tokens were received, and approve only what was received.
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,10419 USDC / LOC
17,900 USDC
1,000 USDC
2,100 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.