The FactoryDAO suite of contracts interact with any arbitrary ERC20 token. Because of this, there is a specific instance (and likely several others) where a fee-on-transfer token will not be correctly handled. PermissionlessBasicPoolFactory.fundPool() will pull funds from the pool creator and increment the pool tracker as the following:
pool.rewardFunding[i] += amount
As a result, if a fee-on-transfer token is used, too many tokens will be allotted to pool.rewardFunding, meaning some pool stakers will miss out on rewards if the pool is fully utilised.
Recommended Mitigation Steps
Consider taking a snapshot of the token balance before and after the transfer and treat the difference between these two amounts as the received token amount. This will be compatible with all types of tokens and avoid any issues where users are unable to withdraw their entire deposited amount.
illuzen
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-factorydao/tree/main/contracts
Vulnerability details
Impact
The FactoryDAO suite of contracts interact with any arbitrary
ERC20token. Because of this, there is a specific instance (and likely several others) where a fee-on-transfer token will not be correctly handled.PermissionlessBasicPoolFactory.fundPool()will pull funds from the pool creator and increment the pool tracker as the following:As a result, if a fee-on-transfer token is used, too many tokens will be allotted to
pool.rewardFunding, meaning some pool stakers will miss out on rewards if the pool is fully utilised.Recommended Mitigation Steps
Consider taking a snapshot of the token balance before and after the transfer and treat the difference between these two amounts as the received token amount. This will be compatible with all types of tokens and avoid any issues where users are unable to withdraw their entire deposited amount.