Dria

Summary

The protocol may experience a Denial of Service (DoS) or incur losses due to handling fee-on-transfer tokens. This issue arises because fee-on-transfer tokens deduct a fee during transfer, potentially leaving the contract with insufficient funds to complete subsequent transfers, which can cause transactions to fail or lead to loss of funds.

Vulnerability Details

In the purchase function of Swan.sol, the function first transfers the approved funds (listing price) from the buyer to the contract. The next line attempts to transfer the full listing price from the contract to the seller. However, if the token being transferred has a fee on transfer, an issue arises because a portion of the transferred amount is deducted as a fee, meaning the amount credited to the contract is less than the listing price.

When the contract then attempts to transfer the full listing price to the seller, it may fail due to insufficient funds. Alternatively, if the transfer succeeds by covering the shortfall from the contract's balance, the protocol incurs a loss equivalent to the fee amount, which could lead to financial losses over time.

Numerical Example

1. Assume the listing price is 100 tokens and a 1% fee is charged on transfer.

2. The buyer sends 100 tokens to the contract, but due to the 1% fee, only 99 tokens are received by the contract.

3. The contract then attempts to transfer 100 tokens to the seller.

   • Scenario 1: If the contract balance cannot cover the shortfall, the transaction fails due to insufficient balance.

   • Scenario 2: If the protocol absorbs the shortfall, the contract incurs a 1-token loss per transaction. Repeated transactions could lead to cumulative financial loss.

Code Snippet

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L276
https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L298-L299

Impact

1. Denial of Service (DoS): The purchase transaction will likely fail due to insufficient balance if the contract cannot cover the fee-deducted shortfall, preventing users from successfully purchasing assets.

2. Financial Loss: If the contract absorbs the fee difference, the protocol will bear the cost, resulting in cumulative losses over time.

Tools Used

Manual Review

Recommendations

1. Whitelist Compatible Tokens: Allow only tokens that do not charge a fee on transfer or explicitly whitelist compatible tokens to prevent unsupported tokens from being used in the protocol.

2. Handle Fee-on-Transfer Tokens Separately: Implement specific logic to handle fee-on-transfer tokens, such as:

   • Verifying the balance received by the contract after the buyer’s transfer.

   • Adjusting the transfer amount to the seller based on the actual balance received, rather than assuming the full listing price is available.

These changes will mitigate risks of failed transactions and ensure the protocol does not incur unintended financial losses.