search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

Minting does not support fee-on-transfer tokens #25

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/peg/NonCustodialPSM.sol#L280

Vulnerability details

Impact

Some ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom().

The NonCustodialPSM.mint function calculates the volt amount based on the pre-fee amount but only receives this amount minus the fees. This leads to issues where all volt cannot be redeemed for their underlying again as the pcvDeposit.withdraw(to, amountOut) would fail as it has fewer underlying due to the fee.

Recommended Mitigation Steps

One possible mitigation is to measure the asset change right before and after the asset-transferring call in mint. Then use this actually received amount to compute the amountVoltOut.

ElliotFriedman commented 2 years ago

PCV deposits and the PSM will never accept tokens that have fees on transfer or any other non standard behavior.

ElliotFriedman commented 2 years ago

duplicate https://github.com/code-423n4/2022-03-volt-findings/issues/21