naps62
commented
2 years ago we did not intend to support those currencies in the first place
Closed code423n4 closed 2 years ago
naps62
commented
2 years ago we did not intend to support those currencies in the first place
dmvt
commented
2 years ago As with issues #55 and #164, this oversight can cause a loss of funds and therefor constitutes a medium risk. Simply saying you don't support something does not mean that thing doesn't exist or won't cause a vulnerability in the future.
naps62
commented
2 years ago Although technically an issue with some tokens, won't be fixed since our supported tokens do not fall under this category
Handle
defsec
Vulnerability details
Impact
The Strategy contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
Proof of Concept
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/strategy/BaseStrategy.sol#L239
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/strategy/BaseStrategy.sol#L221
Tools Used
Code Review
Recommended Mitigation Steps
Make sure token vault accounts for any rebasing/inflation/deflation Add support in contracts for such tokens before accepting user-supplied tokens Consider to check before/after balance on the vault.