Submission Details
Impact:
Likelihood:
Payment Bypass via Fee-On-Transfer Token Assumption
Author Revealed upon completion
Root + Impact
Description
-
The protocol expects the payment token to transfer the exact amount specified when buying NFTs.
-
Tokens with transfer fees (or deflationary mechanics) cause the protocol to receive less than expected, while still finalizing the NFT sale.
// @> Assumes full amount arrives
paymentToken.transferFrom(buyer, address(this), price);
_finalizePurchase(tokenId, buyer);
Risk
Likelihood:
-
Occurs whenever a fee-on-transfer or deflationary ERC20 is used.
Happens deterministically on every purchase using such tokens.
Impact:
-
NFTs sold for less than intended value.
Protocol revenue leakage and pricing invariant break.
Proof of Concept
// Token charges 5% fee
price = 100 USDC
protocol receives 95
NFT still transferred
Recommended Mitigation
- remove this code
+ add this code
uint256 before = token.balanceOf(address(this));
token.transferFrom(buyer, address(this), price);
uint256 received = token.balanceOf(address(this)) - before;
require(received == price, "Incorrect payment");
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.