Severity: Medium · Impact: Medium · Likelihood: Medium
_deposit_collateral records the user's collateral by the amount_collateral argument and then pulls the tokens with transferFrom.
It never measures how many tokens actually arrived. For a fee-on-transfer (or rebasing) token the contract receives less than amount_collateral, but the books credit the full amount — so the engine believes it holds collateral it does not.
Likelihood:
Occurs whenever a supported collateral takes a transfer fee or rebases — a first-class scenario because the protocol is explicitly designed to be forked with "any basket of assets."
Impact:
The engine's recorded collateral exceeds its real token balance, so DSC is over-minted against collateral that isn't there, pushing the system toward undercollateralization.
Redemptions/liquidations draw against the phantom balance until the real tokens run out; the last users to withdraw cannot (their transfer out reverts), stranding funds.
Save the block below as tests/poc_m1.py inside the cloned repo and run mox test tests/poc_m1.py. The fee-on-transfer collateral is compiled inline via boa.loads; everything else uses the contest's own files. A 10-token deposit credits 10 but the engine holds only 9, and the user can no longer redeem the booked balance.
Credit the balance actually received by measuring the engine's token balance before and after the transfer.
Alternatively, maintain an explicit allow-list of standard, non-fee, 18-decimal tokens and document the restriction (which also narrows the fork claim).
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.