If the underlying asset is a fee on a transfer token, it could break the internal accounting of the vault
Vulnerbility Details:
The vault manages deposits and withdrawals of an underlying asset. However, the contract does not account for tokens that implement a fee-on-transfer mechanism (i.e., tokens that deduct a percentage or fixed fee during transfers).
Proof of Concept
For more Information, see the code here.
For more Information, see the code here.
For more Information, see the code here.
For more Information, see the code here.
The VaultRouterBranch.deposit function deposits a given amount of collateral assets into the provided vault in exchange for index tokens.
The issue here is if the underlying assets is a fee on transfer token then the actual received amount to the vault will be less than what is referred in the VaultRouterBranch.deposit function assets input parameter. But the shares to mint is calculated using the entire assets amount.
This issue could be further aggravated since the asset is again stake, initiateWithdrawal and when needing to be redeemed as well. These operations will again charge a fee if the asset is a fee on transfer token. Hence, the actual asset amount left for a particular user will be less than the amount they initially transferred in.
Hence, when the user redeems the deposited shares back to the assets, the contract will not have enough assets to transfer to the redeemer, thus reverting the transaction.
Recommended Metigation Steps: There should be pre and post checks on balances to get the real amount.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.