Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incompatibility with Fee-on-Transfer and Rebasing Tokens

0xshoonya

Summary

The protocol's token transfer implementation is not compatible with fee-on-transfer and rebasing tokens, leading to failed token transfers for such ERC20 tokens.

Vulnerability Details

The protocol's _transfer function in TokenManager.sol performs balance checks before and after the token transfer to ensure the transfer was successful. However, these checks do not account for the behavior of fee-on-transfer and rebasing tokens, which can cause the balances to change in ways that trigger the function's revert conditions.

This is how _transfer function is implemented in TokenManager.sol:

Impact

function _transfer(
address _token,
address _from,
address _to,
uint256 _amount,
address _capitalPoolAddr
) internal {
uint256 fromBalanceBef = IERC20(_token).balanceOf(_from);
uint256 toBalanceBef = IERC20(_token).balanceOf(_to);
if (
_from == _capitalPoolAddr &&
IERC20(_token).allowance(_from, address(this)) == 0x0
) {
ICapitalPool(_capitalPoolAddr).approve(address(this));
}
_safe_transfer_from(_token, _from, _to, _amount);
uint256 fromBalanceAft = IERC20(_token).balanceOf(_from);
uint256 toBalanceAft = IERC20(_token).balanceOf(_to);
if (fromBalanceAft != fromBalanceBef - _amount) {
revert TransferFailed();
}
if (toBalanceAft != toBalanceBef + _amount) {
revert TransferFailed();
}
}

Fee-on-transfer tokens deduct a fee from the amount being transferred, which means the recipient's balance will increase by less than the sent amount. This will cause the balance check toBalanceAft != toBalanceBef + _amount to fail and the transfer to be reverted`.
Similarly, rebasing tokens can increase the balance of the token holder, which will also cause the balance checks to fail and the transfer to be reverted.

Tools Used

The function will revert all transfers of fee-on-transfer and rebasing ERC20 tokens, making them unusable in this system.

Recommendations

To address this issue, the protocol should modify the _transfer function to properly handle fee-on-transfer and rebasing tokens. One possible solution is to use the actual transferred amount (which may be less than the sent amount due to fees) when performing the balance checks, rather than the sent amount.

Updates

Lead Judging Commences

0xnevi Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-TokenManager-FOT-Rebasing

Valid medium, there are disruptions to the ability to take market actions. The following functions will be disrupted without the possibiliy of reaching settlement, since the respective offers cannot be created/listed regardless of mode when transferring collateral token required to the CapitalPool contract or when refunding token from user to capital pool during relisting. So withdrawal is not an issue - `createOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L96-L102) - `listOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L355-L362) - `relistOffer()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L515-L521) - `createTaker()` - reverts [here](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L831-L836) I believe medium severity is appropriate although the likelihood is high and impact is medium (only some level of disruption i.e. FOT tokens not supported and no funds at risk)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.