GalloDaSballo
commented
1 year ago OOS from Bot
Closed c4-submissions closed 1 year ago
GalloDaSballo
commented
1 year ago OOS from Bot
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L399
Vulnerability details
Impact
The issue here is that some non-standard ERC20 tokens can have fee-on-transfer
Proof of Concept
The issue here is that some non-standard ERC20 tokens can have fee-on-transfer, so it could cause a problem that the protocol will lose tokens on each call.
Since the number of deposit tokens and withdraw tokens are written in some variables, without taking into account the fee-on-transfer. So, the user will receive the number of tokens after withdrawing less by a one-time payment of fee-on-transfer, because the second fee-on-transfer was paid by the protocol.
So, in some period of time, the protocol balance of some non-standard tokens can be drained by multiple call of transfer function
The same issue can be found all over the contract, on each interaction with ERC20 tokens.
Tools Used
Manual review
Recommended Mitigation Steps
Change the user's deposited tokens based on each withdraw with taking fee-on-transfer to an account.
Assessed type
Token-Transfer