Open code423n4 opened 3 years ago
Most likely not a medium risk as you can do a lot more nasty things than just use rebasing tokens. Since the owner of a market can set their own quote token, this token could be a token they control the supply of allowing them to arbitrarily transfer tokens between accounts, etc.
As such, this sort of falls outside of our trust model. Market creators should use tokens that behave as "standard" ERC20s. We will make a not that rebasing and deflationary tokens should not be used as quote tokens without weird behaviour.
Would be better as a low or informational issue due to this.
Marking this as low risk as it seems to fall outside of the trust model, yet important enough to communicate to users explicitly.
Handle
cmichel
Vulnerability details
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every
transfer()
ortransferFrom()
.Impact
The
deposit()
functions ofInsurance
andTracerPerpetualSwaps
assume that the externalERC20
balance of the contract increases by the same amount as theamount
parameter of thetransferFrom
.The user is credited the full amount without the taxes (
userBalance.position.quote
).Recommended Mitigation Steps
One possible mitigation is to measure the asset change right before and after the asset-transferring functions.