Tadle

Tadle
DeFiFoundry
27,750 USDC
View results
Submission Details
Severity: medium
Valid

Mitigating Inaccuracies in Token Balance Due to Fee-on-Transfer Compatibility Issues in _depositTokenWhenCreateTaker Function.

Summary:

The function _depositTokenWhenCreateTaker currently does not account for fee-on-transfer tokens, which could lead to miscalculations in balance tracking. Fee-on-transfer tokens deduct a fee on each transfer, resulting in the contract receiving less than the amount initially sent.

Vulnerability Details:

The function _depositTokenWhenCreateTaker is intended to lock tokens by transferring them from the sender to the contract. However, when dealing with fee-on-transfer tokens, the actual amount received is reduced due to the fee. This discrepancy arises because the function assumes the full _quantity will be transferred, which leads to inaccurate balance updates. This misalignment between expected and actual token balances can cause errors in subsequent calculations and undermine the overall functionality and reliability of the contract.

function _depositTokenWhenCreateTaker(
uint256 platformFee,
uint256 depositAmount,
uint256 tradeTax,
MakerInfo storage makerInfo,
OfferInfo storage offerInfo,
ITokenManager tokenManager
) internal {
uint256 transferAmount = OfferLibraries.getDepositAmount(
offerInfo.offerType,
offerInfo.collateralRate,
depositAmount,
false,
Math.Rounding.Ceil
);
transferAmount = transferAmount + platformFee + tradeTax;
tokenManager.tillIn{value: msg.value}(
_msgSender(),
makerInfo.tokenAddress,
transferAmount,
false
);
}

Impact:

This issue could lead to incorrect balance tracking within the contract, potentially disrupting any processes that rely on accurate token balances.

Recommendations:

The code should be updated to properly handle fee-on-transfer tokens to ensure accurate balance tracking.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-FOT-Rebasing

Valid medium, there are disruptions to the ability to take market actions. The following functions will be disrupted without the possibiliy of reaching settlement, since the respective offers cannot be created/listed regardless of mode when transferring collateral token required to the CapitalPool contract or when refunding token from user to capital pool during relisting. So withdrawal is not an issue - `createOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L96-L102) - `listOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L355-L362) - `relistOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L515-L521) - `createTaker()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L831-L836) I believe medium severity is appropriate although the likelihood is high and impact is medium (only some level of disruption i.e. FOT tokens not supported and no funds at risk)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.