According to the README.md, the protocol utilizes USDB and WETH tokens, with provisions for integrating additional tokens in the future for operations within the LockManager.
Also, the protocol claims to support tokens whose balances changes outside of transfers. This therefore follows that in future, rebasing tokens such as stETH will be accepted and therefore the protocol will have to incorporate them.
However, as it is now, it is incompatible with these tokens.
Proof of Concept
The _lock function in the protocol is designed to transfer ERC-20 tokens from a user's account to the protocol's account.
// Transfer erc tokens
if (_tokenContract != address(0)) {
IERC20 token = IERC20(_tokenContract);
token.transferFrom(_tokenOwner, address(this), _quantity);
}
The function uses the transferFrom() method of the ERC-20 token contract to achieve this. However, the function does not query the token balance before and after the transfer to account for any rebasing balance shifts.
This opens a path for balance discrepancies within the protocol.
Tools Used
Manual review
Recommended Mitigation Steps
The protocol should implement logic to handle rebasing tokens appropriately.
One effective approach is to query token balances before and after transfers.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L373-L377
Vulnerability details
Impact
According to the README.md, the protocol utilizes USDB and WETH tokens, with provisions for integrating additional tokens in the future for operations within the LockManager.
Also, the protocol claims to support tokens whose balances changes outside of transfers. This therefore follows that in future, rebasing tokens such as stETH will be accepted and therefore the protocol will have to incorporate them.
However, as it is now, it is incompatible with these tokens.
Proof of Concept
The _lock function in the protocol is designed to transfer ERC-20 tokens from a user's account to the protocol's account.
The function uses the transferFrom() method of the ERC-20 token contract to achieve this. However, the function does not query the token balance before and after the transfer to account for any rebasing balance shifts.
This opens a path for balance discrepancies within the protocol.
Tools Used
Manual review
Recommended Mitigation Steps
The protocol should implement logic to handle rebasing tokens appropriately.
One effective approach is to query token balances before and after transfers.
Assessed type
Other