Closed code423n4 closed 2 years ago
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L237
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom().
transfer()
transferFrom()
AaveV3YieldSource.sol#L237
Manual review
Get the actual received amount by calculating the difference of token balance before and after the transfer. e.g.:
uint256 _beforeBalance = _underlyingAssetAddress.balanceOf(address(this)); IERC20(_underlyingAssetAddress).safeTransferFrom(msg.sender, address(this), _depositAmount); uint256 _afterBalance = _underlyingAssetAddress.balanceOf(address(this));
Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/8
PierrickGT
commented
2 years ago
Lines of code
https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L237
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every
transfer()ortransferFrom().Proof of Concept
AaveV3YieldSource.sol#L237
Tools Used
Manual review
Recommended mitigation steps
Get the actual received amount by calculating the difference of token balance before and after the transfer. e.g.: