Closed code423n4 closed 2 years ago
Reference #8, #9, #10, #12, #19
Only standard functions are applied to out-of-the-box DepositBoxes and TokenManagers. It's up to the SKALE chain owner's discretion to create custom DepositBoxes/TokenManagers that specifically support non-standard functions like FoT, and add these custom contracts to the bridge using registerExtraContract() functions in MessageProxy.
Dup of #50
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/main/contracts/mainnet/DepositBoxes/DepositBoxERC20.sol#L95-L132
Vulnerability details
Impact
The function
DepositBoxERC20.depositERC20()
does not account for FoT (Fee on Transfer) tokens. FoT tokens charge a fee whentransfer()
ortransferFrom()
is called and it is subtracted fromamount
so the receiving address will receive less thanamount
of tokens.This occurs in
depositERC20()
since the originalamount
is transferred through the bridge to the ERC20 token on the SChain. However, thisamount
may have fees deducted from it during the followingThe impact is that the bridge will end up absorbing all of the fees for deposits.
Proof of Concept
Recommended Mitigation Steps
Consider preventing fee on transfer tokens from being used in the system. This must be done either by only allowing whitelisted addresses.
Alternatively, this can be done by ensuring the balance of the Deposit Box increases by exactly
amount
. For example.