Closed code423n4 closed 2 years ago
The following issue originally submitted as QA is a bug
There are ERC20 tokens that charge fee for every transfer() or transferFrom(). In the current implementation, PermissionlessBasicPoolFactory.sol assumes that the received amount is the same as the transfer amount, and uses it to calculate rewards. As a result, in withdraw(), later users may not be able to successfully withdraw their tokens, as it may revert at L230 for insufficient balance. https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L230
Consider comparing before and after balance to get the actual transferred amount.
Judge has assessed an item in Issue #198 as Medium risk. The relevant finding follows: