The system won't treat fee on transfer tokens correctly, and some actions can be executed wrongly.
For example, the rewards contract PermissionlessBasicPoolFactory will calculate the deposited amounts in a wrong way, because it uses the amount parameter and not the actual amount of tokens that the contract received.
There are more places where fee on transfer tokens can fail, like the vesting and resistor contracts and more.
Tools Used
Remix and VS Code
Recommended Mitigation Steps
Calculate the deposit amount by the difference between the balance after and before the transfer instead of using the amount parameter
illuzen
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/PermissionlessBasicPoolFactory.sol#L194
Vulnerability details
Impact
The system won't treat fee on transfer tokens correctly, and some actions can be executed wrongly.
For example, the rewards contract
PermissionlessBasicPoolFactorywill calculate the deposited amounts in a wrong way, because it uses theamountparameter and not the actual amount of tokens that the contract received.There are more places where fee on transfer tokens can fail, like the vesting and resistor contracts and more.
Tools Used
Remix and VS Code
Recommended Mitigation Steps
Calculate the deposit amount by the difference between the balance after and before the transfer instead of using the
amountparameter