search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

`convert` fails for fee-on-transfer tokens #137

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

0xsanson

Vulnerability details

Impact

The Controller contract can call converter.convert inside earn and withdraw functions, after transferring amount of tokens to the Converter contract. This contract assumes that it has received exactly amount tokens, however this isn't true for fee-on-transfer tokens. This will cause the aforementioned functions to revert, basically making the entire protocol unusable.

Proof of Concept

https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/controllers/Controller.sol#L426 https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/converters/StablesConverter.sol#L110

Tools Used

editor

Recommended Mitigation Steps

The Converter.convert function should look at its token's balance and use that variable as _inputAmount.

Haz077 commented 2 years ago

Same as #127

GalloDaSballo commented 2 years ago

Agree with finding, simple mitigation is to check actual balance in contract Additional simple mitigation is to NOT use any token with feeOnTransfer

GalloDaSballo commented 2 years ago

Duplicate of #127

GalloDaSballo commented 2 years ago

Downgraded to Medium as while this is potentially a serious risk, it can be mitigated by simply not using tokens that have fees