There are ERC20 tokens that may make certain customizations to their ERC20 contracts.
One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom().
Proof of Concept
The Cally.createVault() function will credit more ERC20 deposits than the contract actually received:
As the vault owner can use any ERC20 token as the underlying asset, make sure the contract supports fee-on transfer tokens.
Get the actual received amount by calculating the difference of token balance before and after the transfer and use this value for Vault.tokenIdOrAmount.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L200
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every
transfer()
ortransferFrom()
.Proof of Concept
The
Cally.createVault()
function will credit more ERC20 deposits than the contract actually received:Cally.sol#L200
Tools Used
Manual review
Recommended mitigation steps
As the vault owner can use any ERC20 token as the underlying asset, make sure the contract supports fee-on transfer tokens.
Get the actual received amount by calculating the difference of token balance before and after the transfer and use this value for
Vault.tokenIdOrAmount
.