Open hats-bug-reporter[bot] opened 1 month ago
This was mitigated through the introduction of a reward token whitelist in https://github.com/metrom-xyz/contracts/commit/a38913d493d96d73e23b8fafb55c7c3e76a7e41f. Rebasing tokens won't be allowed for the time being.
Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x49dc91be7d105d0afdf1d1de7368e3674aee43ff04a0a95efa91650b94ca46c0 Severity: medium
Description: Description\ As mentioend by sponsers any ERC 20 is allowed, the Metrom contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. Some tokens may make arbitrary balance modifications outside of transfers (e.g. Ampleforth style rebasing tokens, Compound style airdrops of governance tokens, mintable/burnable tokens). for example user creat Campaign and transfers 1000 tokens intor contract, the issue here that after sometime the tokens could decrease or increase.
Attack Scenario\ A user wants to create a campaign and uses rebasing tokens, setting the amount as 1000. The 1000 tokens are transferred, but after sometime the balance will change, leading to potential reverts when
_processRewardClaim
is called.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Make sure for any rebasing/inflation/deflation tokens, Add support in contracts for such tokens before accepting user-supplied tokens.