c4-pre-sort
commented
8 months ago gzeon-c4 marked the issue as insufficient quality report
Closed c4-bot-6 closed 8 months ago
c4-pre-sort
commented
8 months ago gzeon-c4 marked the issue as insufficient quality report
gzeon-c4
commented
8 months ago bot report m-01
c4-judge
commented
8 months ago JustDravee marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L176-L185
Vulnerability details
Impact
PrincipalToken.sol:: deposit() with any asset does not account fee-on-transfer token like USDT, it causes loss of asset of Principal Token contract.
Proof of Concept
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L176-L185
example: IBT: aUSDT(Aave Interest bearing USDT token) -- asset: USDT
User can deposit FOT token without fee, there are some fee-on-transfer tokens like USDT. Here user transfers any amount of FOT asset into PT contract, then received amount is less than initial amount transfered from user because of transfer fee. But PT deposits amount which is not accounted for fee, into IBT vault So It will cause loss of PT asset balance.
Tools Used
Manual Review
Recommended Mitigation Steps
Check PT's asset balance before/after transfer, so exact received amount should be deposited into Vault
Assessed type
Token-Transfer