Submission Details
Severity:
Fee on transfer of unripeToken can lead to incorrect calculation of `Penalized Underlying`
Vulnerability Details
The addMigratedUnderlying function does not account for tokens with fee on transfer.
function addMigratedUnderlying(
address unripeToken,
uint256 amount
) external payable nonReentrant {
LibDiamond.enforceIsContractOwner();
@>> IERC20(s.u[unripeToken].underlyingToken).safeTransferFrom(
msg.sender,
address(this),
amount
);
@>> LibUnripe.incrementUnderlying(unripeToken, amount);
}
The function addMigratedUnderlying may not transfer exactly unripeToken amount of tokens, for tokens with a fee on transfer. This means that the incrementUnderlying call in the next line would be less tokens than what was received, leading to accounting issues.
function incrementUnderlying(address token, uint256 amount) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
s.u[token].balanceOfUnderlying = s.u[token].balanceOfUnderlying.add(amount);
emit ChangeUnderlying(token, int256(amount));
}
Tools Used
Manual Review
Recommendations
It is recommended to find the balance of the current contract before and after the transferFrom to see how much tokens were received, and incrementUnderlying only what was received.
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,10419 USDC / LOC
17,900 USDC
1,000 USDC
2,100 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.