outdoteth
commented
2 years ago All of the risks of not supporting fee-on-transfer tokens are already implicitly acknowledged in the README: https://github.com/outdoteth/putty-v2#rebase-and-fee-on-transfer-tokens
HickupHH3
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L268 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L436
Vulnerability details
Impact
Though the document says:
If the protocol uses non-fee-on-transfer tokens (e.g. USDC) but someday these tokens upgrade to fee-on-transfer tokens, transactions may fail and the protocol will lose tokens to compensate users for the execution.
Another scenario is, if Alice creates a long call option and Bob takes it by calling
fillOrder, then the token is upgraded to fee-on-transfer token. In this case, Alice can callexerciseto putorder.strikeamount into the protocol, but Bob may be unable to callwithdrawto getorder.strikeamount due to the fee-on-transfer token.Proof of Concept
The protocol will receive tokens in
fillOrder, it should record amounts asafterAmount - beforeAmountrather thanorder.strikedirectly.Another scenario is, if Alice creates a long call option and Bob takes it by calling
fillOrder, then the token is upgraded to fee-on-transfer token. Now Alice can callexerciseto putorder.strikeamount into the protocol: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L436But Bob may be unable to call
withdrawto getorder.strikeamount, or the protocol will lose a part offeeAmount: https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L503Tools Used
None
Recommended Mitigation Steps
Token Transfer Calculation Accuracy in this article: https://blog.chain.link/defi-security-best-practices/