search

code-423n4 / 2021-07-pooltogether-findings

0 stars 0 forks source link

Inconsistent balance when supplying transfer-on-fee or deflationary tokens #52

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

The supplyTokenTo function of SwappableYieldSource assumes that amount of _depositToken is transferred to itself after calling the safeTransferFrom function (and thus it supplies amount of token to the yield source). However, this may not be true if the _depositToken is a transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount.

Proof of Concept

Referenced code: SwappableYieldSource.sol#L211-L212

Recommended Mitigation Steps

Get the actual received amount by calculating the difference of token balance before and after the transfer. For example, re-writing line 211-212 to:

uint256 balanceBefore = _depositToken.balanceOf(address(this));
_depositToken.safeTransferFrom(msg.sender, address(this), amount);
uint256 receivedAmount = _depositToken.balanceOf(address(this)) - balanceBefore;
yieldSource.supplyTokenTo(receivedAmount, address(this));
PierrickGT commented 3 years ago

PR: https://github.com/pooltogether/swappable-yield-source/pull/9