search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

Contracts are vulnerable to fee-on-transfer-token-related accounting issues #479

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L67

Vulnerability details

Vulnerability details

Impact

Without measuring the balance before and after the transfer, there's no way to ensure that enough tokens were transferred, in the cases where the token has a fee-on-transfer mechanic. If there are latent funds in the contract, subsequent transfers will succeed.

There is one instance of this issue:

File: ajna-grants/src/grants/GrantFund.sol

        token.safeTransferFrom(msg.sender, address(this), fundingAmount_);

Tools Used

Manual Review

Recommended mitigation steps

Consider checking the balance before and after the transfer.

Assessed type

Token-Transfer

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid