Loss of funds when depositing Fee-on-transfer transfer tokens like Lido's stETH
Summary
Fee-on-transfer tokens like Lido's stETH will break the accounting of the system.
Vulnerability Details
Zaros aims to provide extra utility to staking and restaking tokens by accepting them as collateral tokens for its perpetual market. However, tokens like Lido's stETH are special tokens when it comes to its transfer logic. During transfers, the amount that gets sent is a bit less than what has been specified in the transaction. This means when a users call TradingAccountBranch::depositMargin to deposit collateral, the protocol will receive fewer tokens than what it expects and records for the user.
Impact
Loss of funds for the protocol.
Tools Used
Manual
Recommendations
Always make sure to check and compare the difference in the contract balance before and after a deposit to get the real amount of the asset deposited. And record that as the actual deposit for the user. Also, watch out for rebasing tokens and how they can affect the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.