c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #44
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago dmvt marked the issue as duplicate of #44
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor confirmed
c4-judge
commented
1 year ago dmvt marked the issue as partial-50
Lines of code
https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/yearn/YearnAdapter.sol#L17 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/beefy/BeefyAdapter.sol#L17 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L88 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/adapter/abstracts/AdapterBase.sol#L154 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/utils/MultiRewardStaking.sol#L26 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L26
Vulnerability details
Impact
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom(). Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
Proof of Concept
Across a multiple different functions in all of the contracts will will store the entire amount but with fee-on-transfer tokens, fewer tokens will be transferred which leads to inconsistencies.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider checking actual balance of the contract or ensure that the protocol never uses rebasing or tokens with fee-on transfer.