search

code-423n4 / 2024-05-olas-findings

13 stars 4 forks source link

Lack of support for specific tokens #124

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-olas/blob/e2a8bc31d2769bfb578a06cc64919ad369a82c08/registries/contracts/staking/StakingToken.sol#L108 https://github.com/code-423n4/2024-05-olas/blob/e2a8bc31d2769bfb578a06cc64919ad369a82c08/registries/contracts/staking/StakingToken.sol#L125

Vulnerability details

Impact

Olas is expected to support all kinds of ERC20 tokens, if one such tokens is fee-on-transfer[balances changes during transfer) tokens, user's may loose their expected funds. Since, if the balance changed later, the returned value will be inaccurate. And the amount used before and after that specific operation might differ.

Proof of Concept

Here is one such instances in StakingToken.sol in deposit & _withdraw

// Add to the overall balance
        SafeTransferLib.safeTransferFrom(stakingToken, msg.sender, address(this), amount);
        SafeTransferLib.safeTransfer(stakingToken, to, amount);

Users who deposit/ withdraw tokens will not see their exact amount deposited or withdrawn from the protocol

Tools Used

ERC20 tokens

Recommended Mitigation Steps

Compute the balance before and after transfer and subtract them to get the real amount.

Assessed type

ERC20

c4-judge commented 4 months ago

0xA5DF marked the issue as satisfactory