The protocol does not work with fee-on-transfer ERC20 tokens. When this type of token is escrowed, the amount is sent to the DelegateToken contract. After that the underlying amount delegateInfo.amount is stored in the delegateTokenInfo[delegateTokenId][UNDERLYING_AMOUNT_POSITION] location.
Unfortunately, if this is a fee-on-transfer ERC20 token, the actual sent amount and the amount stored will be different. This can cause trouble when tokens are sent back to the delegateTokenHolder during the withdraw function call.
Tools Used
Mannual Review
Recommended Mitigation Steps
Check the balance before and after the transfer, then subtract to calculate the exact balance that was transferred.
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L375
Vulnerability details
Impact
The protocol does not work with fee-on-transfer ERC20 tokens. When this type of token is escrowed, the amount is sent to the
DelegateToken
contract. After that the underlying amountdelegateInfo.amount
is stored in thedelegateTokenInfo[delegateTokenId][UNDERLYING_AMOUNT_POSITION]
location.Unfortunately, if this is a fee-on-transfer ERC20 token, the actual sent amount and the amount stored will be different. This can cause trouble when tokens are sent back to the
delegateTokenHolder
during thewithdraw
function call.Tools Used
Mannual Review
Recommended Mitigation Steps
Check the balance before and after the transfer, then subtract to calculate the exact balance that was transferred.
Assessed type
Token-Transfer