GalloDaSballo
commented
2 years ago Because of the lack of explicit blocking, even though the documentation mentions to exclude these tokens, the protocol allows any type of token due to it's simplicity, as such the code is inconsistent with the documentation and the finding is a valid low severity finding
Handle
0xRajeev
Vulnerability details
Impact
While the documentation mentions that “The protocol is designed for standard ERC20 tokens, it is not currently concerned with the potential effects of rebasing or non-standard ERC20 implementations”, there is no logic, e.g. via whitelisting, that prevents a publisher from choosing such tokens for baskets. Accidental inclusion may result in undefined behavior, accounting miscalculations or even fund loss for interacting users.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol#info
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L65-L91
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add logic to support inclusion/exclusion of such tokens or document the non-support warning explicitly to publishers and users.