search

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

Protocols does not work with fee-on-transfer ERC20 tokens #360

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L375

Vulnerability details

Impact

The protocol does not work with fee-on-transfer ERC20 tokens. When this type of token is escrowed, the amount is sent to the DelegateToken contract. After that the underlying amount delegateInfo.amount is stored in the delegateTokenInfo[delegateTokenId][UNDERLYING_AMOUNT_POSITION] location.

Unfortunately, if this is a fee-on-transfer ERC20 token, the actual sent amount and the amount stored will be different. This can cause trouble when tokens are sent back to the delegateTokenHolder during the withdraw function call.

Tools Used

Mannual Review

Recommended Mitigation Steps

Check the balance before and after the transfer, then subtract to calculate the exact balance that was transferred.

Assessed type

Token-Transfer

c4-judge commented 10 months ago

GalloDaSballo marked the issue as unsatisfactory: Out of scope

GalloDaSballo commented 10 months ago

OOS from Bot