Links

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L259-L261

Summary

The purpose of the TokenManager::_transfer function is to transfer ERC20 tokens between addresses. However, it is incompatible with fee-on-transfer tokens due to strict balance checks before and after the transfer.

Vulnerability Details

The TokenManager::_transfer function is used to transfer a given token from _from address to _to address:

The function checks the balance before and after the transfer of the sender and the receiver. Also, according to the docs of the contest the protocol should be compatible with every ERC-20 token:

But some ERC-20 tokens are fee on transfer tokens (STA, PAXG, USDC can be in the future) and the function will not work with them because of the check toBalanceAft != toBalanceBef + _amount that will always revert.

Impact

The balance checks before and after the transfer assume that the exact _amount of tokens will be transferred. This assumption fails for fee-on-transfer tokens, which deduct a fee during the transfer. As a result the receiver's balance will increase by less than _amount and the _transfer function will always revert. That means every function that relies on the _transfer function will also revert. The _transfer function is called in TokenManager::tillIn function that is critical for the protocol functionality because it transfers a token from the user to the capital pool and the tillIn function is used in many important for the protocol functions.
If fee on transfer token is used the functionality of the protocol will be broken.

Tools Used

Manual Review

Recommendations

Implement logic to account for the fee deducted during the transfer. This involves estimating the fee and adjusting the balance checks accordingly.