Treasury Contract Does Not Account for Fee-on-Transfer Tokens
Summary
The Treasury::deposit function allows for the deposit of any ERC-20 token. However, it does not properly handle tokens that have a fee-on-transfer mechanism. This can result in incorrect balance accounting, leading to potential discrepancies between expected and actual deposited amounts.
Details
The contract assumes that the amount transferred by the sender is the same as the amount received by the contract.
Fee-on-transfer tokens deduct a percentage of the transferred amount as a fee, meaning the contract receives less than the sender intended to deposit. Without explicit handling of fee-on-transfer tokens, the contract may record an incorrect balance, leading to miscalculations in withdrawals or other treasury operations.
Impact
Amount stored in the _balances mapping is higher than the amount received
Tool Used
Manual Review
Recommendations
Compute the balance before and after transfer and subtract them to get the real amount.
Lead Judging Commences
Treasury::deposit increments _balances[token] with amount, not taking FoT or rebasing into account
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.