As of right now I believe the only outside tokens the protocol uses are DAI, USDC, USDT and WETH.
If other tokens are added, make sure to check that they have no callbacks on transfer.
For example, CREAM protocol added the AMP token which has a callback before a transfer, resulting in an 18 million dollar hack. Had the dev team carefully vetted tokens that are added to the protocol, the attack would not have happened.
Proof of Concept
Through the code .safeTransfer() is used, which then calls back to the receiver if the token
is a callback on transfer token. This is an example where using .transfer() would actually be safer than using
.safeTransfer().
Recommended Mitigation Steps
Make sure that developers are aware of this attack vector, an add this to the list of considerations when letting the user deposit other tokens.
Handle
tensors
Vulnerability details
Impact
As of right now I believe the only outside tokens the protocol uses are DAI, USDC, USDT and WETH. If other tokens are added, make sure to check that they have no callbacks on transfer.
For example, CREAM protocol added the AMP token which has a callback before a transfer, resulting in an 18 million dollar hack. Had the dev team carefully vetted tokens that are added to the protocol, the attack would not have happened.
Proof of Concept
Through the code .safeTransfer() is used, which then calls back to the receiver if the token is a callback on transfer token. This is an example where using .transfer() would actually be safer than using .safeTransfer().
Recommended Mitigation Steps
Make sure that developers are aware of this attack vector, an add this to the list of considerations when letting the user deposit other tokens.