kirk-baird
commented
1 year ago The user is swapping tokens and the fees will be incurred by the user. This is the correct handling of fee on transfer tokens.
Closed code423n4 closed 1 year ago
kirk-baird
commented
1 year ago The user is swapping tokens and the fees will be incurred by the user. This is the correct handling of fee on transfer tokens.
c4-judge
commented
1 year ago kirk-baird marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2022-12-Stealth-Project/blob/main/router-v1/contracts/Router.sol#L181-L190
Vulnerability details
Impact
If you call Router.exactOutputSingle where output token will be fee on transfer token, then user will not receive exact the same amount.
Proof of Concept
Protocol doesn't support fee on transfer tokens. I will show one case where it's not working. Router.exactOutputSingle function allows to swap inToken for exact amount of outTokens.
When it will be called when out token is fee on transfer token, then because of fee user will receive less amount that he asked. Example. User want to get 100 tokens. Pool.swap sends him 100 tokens, but because of fee he receives only 95. As result he didn't receive exact amount.
Tools Used
VsCode
Recommended Mitigation Steps
Some tokens should be blacklisted as you can't handle all non standard tokens.