Closed code423n4 closed 2 years ago
Same as #127
Agree with finding, simple mitigation is to check actual balance in contract
Additional simple mitigation is to NOT use any token with feeOnTransfer
Duplicate of #127
Downgraded to Medium as while this is potentially a serious risk, it can be mitigated by simply not using tokens that have fees
Handle
0xsanson
Vulnerability details
Impact
The Controller contract can call
converter.convert
insideearn
andwithdraw
functions, after transferringamount
of tokens to the Converter contract. This contract assumes that it has received exactlyamount
tokens, however this isn't true for fee-on-transfer tokens. This will cause the aforementioned functions to revert, basically making the entire protocol unusable.Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/controllers/Controller.sol#L426 https://github.com/code-423n4/2021-09-yaxis/blob/main/contracts/v3/converters/StablesConverter.sol#L110
Tools Used
editor
Recommended Mitigation Steps
The Converter.convert function should look at its token's balance and use that variable as
_inputAmount
.