In the VotingEscrow contract, if the token is a fee-on-transfer token, the number of tokens received by the contract in the createLock and increaseAmount functions will be less than _value.
This makes the locked balance recorded by the contract incorrect, and the user can drain the tokens in the contract by successive deposits and withdrawals
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L425-L428
Vulnerability details
Impact
In the VotingEscrow contract, if the token is a fee-on-transfer token, the number of tokens received by the contract in the createLock and increaseAmount functions will be less than _value. This makes the locked balance recorded by the contract incorrect, and the user can drain the tokens in the contract by successive deposits and withdrawals
Proof of Concept
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L425-L428 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L485-L488
Tools Used
None
Recommended Mitigation Steps
Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.