search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

[NAZ-M5] Doesn't Support Fee On Transfer #588

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44

Vulnerability details

Impact

There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom().

Proof of Concept

  1. A fee on transfer token with a 1 token fee for every 100, that is allowed in the vault.
  2. Alice goes to deposit 100 tokens into the vault
  3. The vault would receive 99 tokens but expected 100 so it would mint 100 tokens of the tigUSD.

Tools Used

Manual Review

Recommended Mitigation Steps

I recommend disallowing fee tokens from being used in the vault. Or It may be better to get the before balance then transferFrom() then get the after balance to make sure no fees were added.

c4-judge commented 1 year ago

GalloDaSballo marked the issue as duplicate of #522

c4-judge commented 1 year ago

GalloDaSballo marked the issue as not a duplicate

GalloDaSballo commented 1 year ago

L

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-tigris-findings/issues/572