There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom(). Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
Proof of Concept
Across a multiple different functions in all of the contracts will will store the entire amount but with fee-on-transfer tokens, fewer tokens will be transferred which leads to inconsistencies.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider checking actual balance of the contract or ensure that the protocol never uses rebasing or tokens with fee-on transfer.
Lines of code
https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L17 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/beefy/BeefyAdapter.sol#L17 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L88 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L154 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/utils/MultiRewardStaking.sol#L26 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L26
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom(). Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
Proof of Concept
Across a multiple different functions in all of the contracts will will store the entire amount but with fee-on-transfer tokens, fewer tokens will be transferred which leads to inconsistencies.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider checking actual balance of the contract or ensure that the protocol never uses rebasing or tokens with fee-on transfer.