search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

`LibERC20Compat` doesn't handle fee-on transfer ERC20 tokens #239

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/utils/LibERC20Compat.sol#L12

Vulnerability details

Impact

compatTransfer function doesn't handle all non-compliant ERC20 tokens (Deflationary tokens). Due to this, loss of funds may occur

During transfer of deflationary tokens, a small amount of fee deducted. So if the contract doesn't keep a track, less amount will be transferred. In this case, compatTransfer doesn't do that

Proof of Concept

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/utils/LibERC20Compat.sol#L12

Tools Used

Manual review

Recommended Mitigation Steps

Check the balance of the token before and after the transfer, to confirm whether intended amount of transferred token is deposited or not.

merklejerk commented 1 year ago

We don't support fee-on-transfer tokens.

HardlyDifficult commented 1 year ago

Seems correct but the report doesn't explore the implications for this protocol. Downgrading and merging with #236