User funds may be blocked if tokens with a transfer fee are used as the underlyingToken

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L296-L322 https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L353-L386

Vulnerability details

Impact

The user can create rights token pair pulling underlying token. To do this, it calls the create() function (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L296-L322). During the execution of the function, the user sends tokens to the contract address (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L297). If an ERC20 token is used as a tokenContract, then the possibility of using tokens with a transfer fee is unlimited. An example of such tokens: https://github.com/d-xo/weird-erc20#fee-on-transfer. If the user used such a token, then the contract does not take into account that the contract balance will receive fewer tokens than expected. If there is a shortage of tokens on the contract, output for users (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L353-L386) will be blocked until new tokens arrive on contract address. Over time, the shortage of tokens at the contract address will gradually increase.

Proof of Concept

1. The user deposits tokens with fee on transfer via the create() function.
2. The DelegateToken.sol contract account receives less funds than transferred to amount.
3. The user calls the withdraw() function. There are insufficient funds in the contract account. The operation was not completed.

Tools Used

Manual review

Recommended Mitigation Steps

Compare the balance of tokens before and after sending. Record the difference to the user's balance.

Assessed type

ERC20

[GalloDaSballo]

OOS from Bot

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Out of scope