Revenue Loss of platform fee collection in case of whitelisted fees-on-transfer tokens
Summary
The MembershipFactory contract's joinDAO function lacks proper accounting mechanisms for tokens that implement fee-on-transfer features. When such tokens are whitelisted through the CurrencyManager contract, the actual amount received by both the platform (owpWallet) and the DAO will be less than calculated. The contract assumes a 1:1 transfer ratio when calculating the 20% platform fee, but fee-on-transfer tokens violate this assumption, resulting in the platform receiving less than the intended revenue share.
Vulnerability Details
The contract calculates and transfers platform fees using a fixed percentage (20%) of the tier price:
The issue arises because fees-on-transfer tokens deduct a percentage from each transfer. If such a token charges a 5% fee per transfer:
-
A platformFees of 100 tokens would result in only 95 tokens reaching owpWallet
-
The remaining transfer would also be reduced by 5%
This will reduces the protocol's revenue below the intended 20%.
Impact
Direct financial loss for the protocol as platform fees are reduced
Inconsistent fee collection across different token types
Tools Used
Manual Review
Recommendations
checking the contract balance before and after any token transfer, and registering the difference as the amount sent. This can help in handling fee-on-transfer tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.