Protocol is not compatible with USDB as a Rebasing tokens

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x25a82e92067efc2dd7c7f9ef314133b5f81fd816d421d41637968d3b30a9ffc1 Severity: medium

Description: Description\

Blast Futures Exchange is expected to be deployed on Blast-L2 chain. The Protocol contracts accept USDB token as PaymentToken during deposits/transfers/withdraw or claim the tokens.

The contracts do not appear to support rebasing tokens i.e USDB whose balance changes during transfers or over time. It should be noted that Rebasing tokens automatically adjusts its supply to maintain a stable price. Therefore, a volatility is expected while using rebasing tokens.

However, The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest is missing in contract functionality.

With current implementation, it seems a normal ERC20 token is used in contract, however it is not true. The documentation mentions,

Important Note: Blast Futures Exchange only accepts USDB on Blast L2 network as deposits. Sending any other tokens will result in irretrievable lost coins.

Therefore, balance before and balance after checks should be added in contract so that rebasing tokens should be compatible.

The following instances does not check before and after balance while transfering the tokens to contracts or from contracts, Functions like stake(), deposit() and withdraw() is affected in below instances.

1) Bfx.solat L-65], at L-80, at L-89

2) BfxVault.sol at L-47, at 277 3) PoolDeposit.sol at L-50, at L-68, at L-82,

Recommendation\

Add support in contracts functionality for such rebasing tokens i.e USDB(here) before accepting user-supplied tokens, Consider to check before/after balances during transfers.

[0xfuje]

USDB rebasing is disabled by default for contracts, the protocol could opt-in to enable rebasing, but there is no function to support that. Additionally (if there were functions to support it) the contracts could receive yield anyway by manually claiming without rebase. I mentioned these in my submission: https://github.com/hats-finance/Blast-Futures-Exchange-0x97895c329b950755566ddcdad3395caaea395074/issues/25

[alex-sumner]

The need to check that a transfer sent the expected amount of tokens arises with fee on transfer tokens, which this contract is not intended to work with. A rebasing token such as USDB does not require this check.

Automatic USDB rebasing is enabled by default for both contracts and EOAs, see https://docs.blast.io/building/guides/weth-yield

Background note: at the time of writing of the current contracts, USDB rebasing was not implemented on blast-sepolia. Redistribution of yield to users is planned for a future version of the contract.