Open codehawks-bot opened 1 year ago
This report was marked as duplicate however it is actually different from the other one I submitted which got marked as the selected report. Whether you want to payout for an issue this similar or not is up to you (though I think you should as c4 does :) ) it is still crucial that the protocol be aware that this issue exists. The other fee on transfer report mentions the issue with fee on transfer in the Staking.sol
contract however does not mention the issue in Lending.sol
which is why I find it important that the protocol team be made aware of this. My original thought was the same issue affecting to separate parts of the protocol should be submitted as two separate issues, since this wasn't made clear in the docs I assumed this.
My suggestion is that if it is not going to be counted as two separate issues to mention in the docs the same bug affecting different parts of the codebase will be considered one issue. I believe Sherlock handles issues in this way however c4 tends to do the opposite. If you have a bug that has multiple attack vectors I've seen them submitted as separate issues before on c4. Either way you want to go makes sense to me, however, it should be made clear in the docs so that people don't submit multiple issues. :)
Here is an example on c4 of where fee on transfer tokens effected two different contracts in the same contest and they were counted as two separate issues.
This report was marked as duplicate however it is actually different from the other one I submitted which got marked as the selected report. Whether you want to payout for an issue this similar or not is up to you (though I think you should as c4 does :) ) it is still crucial that the protocol be aware that this issue exists. The other fee on transfer report mentions the issue with fee on transfer in the
Staking.sol
contract however does not mention the issue inLending.sol
which is why I find it important that the protocol team be made aware of this. My original thought was the same issue affecting to separate parts of the protocol should be submitted as two separate issues, since this wasn't made clear in the docs I assumed this.My suggestion is that if it is not going to be counted as two separate issues to mention in the docs the same bug affecting different parts of the codebase will be considered one issue. I believe Sherlock handles issues in this way however c4 tends to do the opposite. If you have a bug that has multiple attack vectors I've seen them submitted as separate issues before on c4. Either way you want to go makes sense to me, however, it should be made clear in the docs so that people don't submit multiple issues. :)
It might be because the contest mentioned is happened in 2021, so many things changed since then I believe and I didn't see token compatibility related issues counted as seperate for seperate contracts lately. Furthermore there are 50 duplicates for fot tokens and nearly half of them is actually mentioning problems regarding whole protocol, not just one contract. If judge decided to seperate the issues (which I don't recommend), judge needs to check all of them and seperate accordingly (This comment is for judge, not you).
And also if this issue get separated, then all other token issues must also be separated. For example decimal issues are all mentioning different part of codebase. But again the issue here is incompatibility of protocol with certain token types. So I believe separation has no point.
@leeftk I think the fee-on-transfer issue has effects all over the contracts. For now, I'm going to keep them as separate issues. The protocol is aware of the issue and how it has ramifications many places.
Fee on transfer tokens can cause lender tokens to get stuck in contract.
Severity
High Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L182
Summary
Fee on transfer tokens take a tax when they are submitted
Vulnerability Details
Some ERC20 tokens, such as USDT, allow for charging a fee any time transfer() or transferFrom() is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert() due to the contract having an insufficient balance. However, a malicious user could also take advantage of this to steal funds from the pool.
Let's take a look at the
addPool()
andremovePool()
functions.Impact
addToPool()
takes in an amount that is set by the users.removeFromPool()
does the same, however when attempting to remove a pool using fee on transfer tokens the function would revert due to insufficient balance leaving the users funds stuck in the pool. Consider the example below.Step to Reproduce
addToPool()
._updatePoolBalance(poolId, pools[poolId].poolBalance + amount);
will equal 100.Tools used
Manual Review
Recommended Steps
Measure the contract balance before and after the call to transfer()/transferFrom() and use the difference between the two as the amount, rather than the amount stated
Note this implementation is vulnerable to reentrancy so use a nonreentrant guard in on this function.