Fee-on-Transfer Token Vulnerability in Treasury Deposits
Summary
The Treasury contract’s deposit function records the full amount specified by the depositor without verifying the actual tokens received. This behavior can lead to discrepancies when depositing tokens that incur transfer fees (fee-on-transfer tokens). In such case, the Treasury’s internal records may overstate the available balance. When withdrawals are later attempted based on these inflated records, they can fail or result in accounting errors.
Vulnerability Details
The Treasury’s deposit function is implemented as follows:
The function:
Calls
transferFromwith the user-specifiedamount.Unconditionally increments its internal
_balancesand_totalValueby thatamount.Does not verify whether the actual token balance increased by the expected amount
**Issue with Fee-on-Transfer Tokens: **When a token deducts a fee on transfer (for example, 1%):
A depositor attempting to deposit 100 tokens will only send 99 tokens to the Treasury.
However, the Treasury records a deposit of 100 tokens.
This discrepancy means that the internal accounting overstates the Treasury balance. Subsequent withdrawals or fund allocations based on the recorded value may fail if the Treasury only holds the reduced amount.
Impact
Withdrawal failures and corrupted accounting
Tools Used
Manual review
Recommendations
Modify the deposit function to check the Treasury’s token balance before and after the transfer. This ensures that only the actual received tokens are recorded.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Treasury::deposit increments _balances[token] with amount, not taking FoT or rebasing into account
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.