search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

Tokens that have multiple addresses can break some computations #103

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

hrkrshnn

Vulnerability details

Tokens that have multiple addresses can break some computations

Take the example TrueUSD, it has two addresses: 0x8dd5fbCe2F6a956C3022bA3663759011Dd51e73E and 0x0000000000085d4780B73119b644AE5ecd22b376. Calling transfer on one addresses will affect the balance on the other.

This means that adding both tokens to the same vault will lead to buggy calculations. For example, balanceOfThis calculation would involve double counting. Similarly this would lead to incorrect withdrawals during calls to withdraw.

Recommended Mitigation Steps

Unfortunately checking these on-chain may be difficult. It is recommended to have front-end checks and perhaps manual checks before adding tokens.

Haz077 commented 2 years ago

A token can not have multiple addresses, and if so, it will be treated as 2 separate tokens which will not cause issues mentioned, the given example of TrustUSD is not valid as one of the addresses provided is the old contract.

GalloDaSballo commented 2 years ago

This finding claims that a token can have 2 addresses which is incorrect