search

code-423n4 / 2022-02-skale-findings

0 stars 0 forks source link

DepositBoxERC20 does not support fee-on-transfer token #53

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/mainnet/DepositBoxes/DepositBoxERC20.sol#L118

Vulnerability details

Impact

The transfered amount is saved without checking the actual amount of token received after the transfer.

Proof of Concept

https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/mainnet/DepositBoxes/DepositBoxERC20.sol#L118

        _saveTransferredAmount(schainHash, erc20OnMainnet, amount);
        require(
            ERC20Upgradeable(erc20OnMainnet).transferFrom(
                msg.sender,
                address(this),
                amount
            ),
            "Transfer was failed"
        );

Recommended Mitigation Steps

Check before and after balance

cstrangedk commented 2 years ago

Duplicate and disputed of #42

GalloDaSballo commented 2 years ago

Dup of #50