Open code423n4 opened 2 years ago
Sponsor acknowledged
Alchemix does not deal with fee-on-transfer or rebasing tokens
As Alchemix does not deal with fee-on-transfer tokens, I'm inclined to mark this as QA because it assumes the protocol governance enlists a token type that is not compatible with the protocol's design.
Fee on Transfer and Rebasing tokens are not accounted for in adapters or
AlchemistV2
Lines of code
https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/adapters/fuse/FuseTokenAdapterV1.sol#L66-L85 https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/AlchemistV2.sol#L1319
Vulnerability details
Impact
Many ERC20 tokens are Fee on Transfer (FoT) in which a fee will be deducted from the amount transferred. The recipient will receive
amount - fee
tokens. Similarly rebasing tokens may change value up or down over time or during transfers.If fee on transfer tokens are used in AlchemistV2 or the adapters the result is the contract may receive less tokens than sent in
safeTranferFrom()
.The impact of these tokens on the
wrap()
functions is that they will either a) spend the fee from the current contract balance b) revert if there is insufficient balance in the contractProof of Concept
AlchemistV2._wrap()
will first transfer the tokens from themsg.sender
to the current contract. It will then attempt to wrap this exact same amount of tokens. However if a fee has been applied duringsafeTransferFrom()
then less thanamount
of tokens will be received by the contract andadapter.wrap()
will either revert due to having insufficient balance or will spend the Alchemists tokens.FuseTokenAdapterV1.wrap()
will transferamount
to this contract and thenmint()
the sameamount
in fuse. If they are FoT tokens the current contract will receive less thanamount
of tokens and therefore eithermint()
will fail due to insufficient balance or it will spend tokens from the contract which were not owned by the called.The same principals also apply to
YearnTokenAdpater.sol
andVsperAdapterV1.sol
.Recommended Mitigation Steps
Ensure there is sufficient documentation such that underlying tokens which are FoT or rebasing are not added to the protocol as underlying tokens or yield tokens.