search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

`CompoundPCVDepositBase` is unable to `withdraw()` fee-on-transfer tokens #114

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/compound/CompoundPCVDepositBase.sol#L38-L48

Vulnerability details

Impact

Fee-on-transfer tokens deposited to compound cannot be withdrawn because the code expects that the amount redeemed is the amount transferable

Proof of Concept

The withdraw() function attempts to redeem the same amount as is transferred. The tokens available after the redeem call will be less than amountUnderlying, so the call to _transferUnderlying will revert.

    function withdraw(address to, uint256 amountUnderlying)
        external
        override
        onlyPCVController
        whenNotPaused
    {
        require(
            cToken.redeemUnderlying(amountUnderlying) == 0,
            "CompoundPCVDeposit: redeem error"
        );
        _transferUnderlying(to, amountUnderlying);

https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/pcv/compound/CompoundPCVDepositBase.sol#L38-L48

Tools Used

Code inspection

Recommended Mitigation Steps

Measure the balance before and after the call to redeemUnderlying(), and use the difference between the two as the amount, rather than amountUnderlying

ElliotFriedman commented 2 years ago

PCV Deposits in this system will never hold fee-on transfer tokens so this issue is invalid.