Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Issue with verifying the exact amount of tokens transferred in the `depositMargin` and `withdrawMargin` functions

0xdhanraj30

Summary:

issue with verifying the exact amount of tokens transferred in the depositMargin and withdrawMargin functions in TradingAccountBranch contract
The functions use safeTransferFrom and safeTransfer to handle token transfers but do not verify that the actual amount received by the contract matches the amount intended for transfer. This oversight may expose the contract to issues if the token contract applies fees or has other mechanisms affecting the transfer amount.

Vulnerability Details:

The depositMargin and withdrawMargin functions rely on token transfers but do not verify the actual amount of tokens received by the contract.
safeTransferFrom and safeTransfer are used to move tokens, but if the token contract applies fees or performs other modifications, the amount received by the contract may be less than the amount specified.

Impact:

If the token contract deducts fees or alters the transfer amount, the contract might not receive the expected amount of tokens.
This discrepancy can lead to inconsistencies in margin collateral balances, potentially affecting liquidity, margin requirements, and overall contract stability.

Proof of Concept:

Explanation:**

Deposit Margin Function:

The function transfers tokens from msg.sender to the contract using safeTransferFrom but does not check if the actual amount received matches the intended amount. If the token contract applies a fee, the contract may receive less than specified.

Withdraw Margin Function:

Similar to the deposit function, the withdrawMargin function transfers tokens from the contract to msg.sender using safeTransfer without verifying the actual amount transferred.

Example Issue:

If a token contract applies a fee of 1%, and the user intends to deposit 100 tokens, the contract may only receive 99 tokens. Without verification, the contract might inaccurately record the deposited amount as 100 tokens.

Tools Used:

Manual

Recommendations:

Verify Actual Amount Received:
- Add checks to ensure the amount of tokens received by the contract matches the intended amount. This can be done by comparing the contract’s token balance before and after the transfer.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.