There are ERC20 tokens that may make certain customizations to their ERC20 contracts.
One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom().
Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
All Cally functions are making assumption that there are no fee-on transfer tokens so calculations will be wrong for such tokens.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L16-L17
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom(). Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
All Cally functions are making assumption that there are no fee-on transfer tokens so calculations will be wrong for such tokens.
Recommended Mitigation Steps
Measure the asset change right before and after the asset-transferring routines, example, from https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/legacy/MetaVault.sol#L393-L400
Or clearly state that fee-on transfer tokens are not supported.