OrderBook

First Flight #43
Beginner FriendlySolidity
100 EXP
Submission Details
Impact: medium
Likelihood: medium
Invalid

No Fee-on-Transfer Token Support

Author Revealed upon completion

Root + Impact

Description

  • Normal behavior:

The contract assumes all ERC20 tokens behave according to the standard, meaning the amount transferred is exactly the amount specified, with no fees or hooks. This is true for most major tokens, but not all.

  • Issue:

If a fee-on-transfer token (which deducts a fee on every transfer) is allowed, the contract logic will break. The amount received or sent will not match the expected value, leading to buyers or sellers receiving less than intended, and protocol accounting becoming inaccurate.

Explanation: The protocol logic assumes the full amount is transferred, but fee-on-transfer tokens break this assumption, causing user losses and accounting errors.

IERC20(_tokenToSell).safeTransferFrom(msg.sender, address(this), _amountToSell); // @> Assumes full amount is received
IERC20(order.tokenToSell).safeTransfer(msg.sender, order.amountToSell); // @> Assumes full amount is sent

Risk

Likelihood:

  • Owner may add a fee-on-transfer token to the allowed list, either intentionally or by mistake.

  • Users may create orders with such tokens, leading to broken logic.

Impact:

  • Buyers or sellers may receive less than expected, leading to loss of funds and disputes.

  • Protocol accounting becomes inaccurate, potentially leading to further bugs or vulnerabilities.

Proof of Concept

// This PoC shows how a fee-on-transfer token breaks the protocol logic.
// The owner adds a fee-on-transfer token to the allowed list.
// Seller lists 100 tokens, but only 99 are received by the contract due to a 1% fee.
// Buyer receives 99 tokens, but pays for 100.

Recommended Mitigation

Restrict allowed tokens to standard ERC20s, or implement logic to handle fee-on-transfer tokens (complex and not recommended). Clearly document that only standard tokens are supported.
Explanation: By limiting the protocol to standard tokens, or at least warning users, the protocol avoids logic errors and protects users from unexpected losses.
Updates

Lead Judging Commences

yeahchibyke Lead Judge
6 days ago
yeahchibyke Lead Judge about 5 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.