search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

Incompatibility With Rebasing/Deflationary/Inflationary tokens #167

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

defsec

Vulnerability details

Impact

Yeti protocol allows different tokens to be used as output token. The contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time for the collateral. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.

Proof of Concept

https://github.com/code-423n4/2021-12-yetifinance/blob/1da782328ce4067f9654c3594a34014b0329130a/packages/contracts/contracts/BorrowerOperations.sol#L731

Tools Used

Code Review

Recommended Mitigation Steps

Make sure output token for any rebasing/inflation/deflation Add support in contracts for such tokens before accepting user-supplied tokens.

uint256 balanceBefore = getOwnBalance(outputToken);
require(outputToken.safeTransfer(assetId, router, address(this), amount, "Transfer ERC20_TRANSFER_FAILED");
uint256 receivedAmount = getOwnBalance(outputToken) - balanceBefore;
kingyetifinance commented 2 years ago

@LilYeti: We are using wrappers to keep track of these style of tokens where the amount changes over time.

kingyetifinance commented 2 years ago

These will be vetted before adding to whitelist

alcueca commented 2 years ago

That should be added to the documentation, issue is valid.