Some ERC20 tokens, e.g. STA, PAXG, incur a transfer fee whereas some like USDT, USDC do not currently charge a fee but may do so in the future.
In the current implementation of Vault.sol, it is assumed that the received amount is the same as the assets transfer amount when adding tokens via deposit() and mint(). However, due to how fee-on-transfer tokens work, much less will be received than what was transferred. Consequently, later users may not be able to successfully redeem/withdraw their shares, as it may revert due to insufficient contract balance.
Proof of Concept
Here is a typical Fee-on-transfer scenario:
Contract calls transfer from contractA 100 tokens to current contract
Current contract thinks it has received 100 tokens
It updates balances to increase +100 tokens
In actuality, contract received only 90 tokens
This breaks the whole math for this given token and mess up with future accounting.
Lines of code
https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L134-L158 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L170-L198 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L253-L278 https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/Vault.sol#L211-L240
Vulnerability details
Impact
Some ERC20 tokens, e.g. STA, PAXG, incur a transfer fee whereas some like USDT, USDC do not currently charge a fee but may do so in the future.
In the current implementation of Vault.sol, it is assumed that the received amount is the same as the assets transfer amount when adding tokens via
deposit()
andmint()
. However, due to how fee-on-transfer tokens work, much less will be received than what was transferred. Consequently, later users may not be able to successfully redeem/withdraw their shares, as it may revert due to insufficient contract balance.Proof of Concept
Here is a typical Fee-on-transfer scenario:
This breaks the whole math for this given token and mess up with future accounting.
Vault.sol#L134-L158
Vault.sol#L253-L278
Recommended Mitigation Steps
It is recommended: