Fee-on-transfer tokens deposited to compound cannot be withdrawn because the code expects that the amount redeemed is the amount transferable
Proof of Concept
The withdraw() function attempts to redeem the same amount as is transferred. The tokens available after the redeem call will be less than amountUnderlying, so the call to _transferUnderlying will revert.
function withdraw(address to, uint256 amountUnderlying)
external
override
onlyPCVController
whenNotPaused
{
require(
cToken.redeemUnderlying(amountUnderlying) == 0,
"CompoundPCVDeposit: redeem error"
);
_transferUnderlying(to, amountUnderlying);
Measure the balance before and after the call to redeemUnderlying(), and use the difference between the two as the amount, rather than amountUnderlying
Lines of code
https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/compound/CompoundPCVDepositBase.sol#L38-L48
Vulnerability details
Impact
Fee-on-transfer tokens deposited to compound cannot be withdrawn because the code expects that the amount redeemed is the amount transferable
Proof of Concept
The
withdraw()
function attempts to redeem the same amount as is transferred. The tokens available after the redeem call will be less thanamountUnderlying
, so the call to_transferUnderlying
will revert.https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/compound/CompoundPCVDepositBase.sol#L38-L48
Tools Used
Code inspection
Recommended Mitigation Steps
Measure the balance before and after the call to
redeemUnderlying()
, and use the difference between the two as the amount, rather thanamountUnderlying