There are ERC20 tokens that charge fee for every transfer() or transferFrom().
In the current implementation, BasketFacet.sol##joinPool() and SingleTokenJoin.sol#joinTokenSingle() assumes that the received amount is the same as the transfer amount, and uses it for basketToken minting and token swap.
Handle
WatchPug
Vulnerability details
There are ERC20 tokens that charge fee for every
transfer()ortransferFrom().In the current implementation,
BasketFacet.sol##joinPool()andSingleTokenJoin.sol#joinTokenSingle()assumes that the received amount is the same as the transfer amount, and uses it for basketToken minting and token swap.https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/facets/Basket/BasketFacet.sol#L162-L167
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleTokenJoin.sol#L53-L57
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/SingleTokenJoin.sol#L96-L102
Recommendation
Consider comparing the before and after balanceOf to get the actual transferred amount.