Open hats-bug-reporter[bot] opened 3 months ago
That's why we calculate the balances before and after the transfer in the vault manager. We are aware that sometimes values are lost during token transfers, such as with compound tokens. This approach ensures that we account for any discrepancies and handle the tokens correctly.
@aktech297
Hi @langnavina97 ,
We analyzed the codes again and we can see issue due to fee on transfer. lets see in details.
We identified the following two issues with fee on transfer tokens.
Lets see the first one.
In short about the DepositBatch
contract,
DepositBatch
contract DepositBatch
to vault manager.multiTokenSwapAndTransfer
- if the _depositToken
token is FOT, the received amount is lesser than the data._depositAmount
- here
But the depositAmounts
array will have slightly higher than what was received. This array is passed to multiTokenDepositFor
here.
The call flow will be multiTokenSwapAndTransfer - multiTokenDepositFor - _handleTokenTransfer.
Please note that the msg.sender
will be the BatchDeposit
contract in the _handleTokenTransfer
. here the array is traversed and funds are sent to vault here. here the BatchDeposit
will have the less balance than the array balance value for FOT. When trying to r transfer more value, the transaction will revert due to insufficient value.
Now, lets see the incorrect mint ratio calculation.
User can directly call the multiTokenDepositFor with array of deposit amounts, min mint amount and to whom the deposit wanted to be.
In function _handleTokenTransfer
min ration is calculated using this array of balances. But if we see the FOT, these array of values will differ with the actual transferred amount. So the calculated ratio will be slightly higher than the actual value.
Based on this ration, mint amount is calculated and tokens are minted.
Github username: @aktech297 Twitter username: kaka Submission hash (on-chain): 0x60d96e8f99fadf43cf6461745bc9c8f90dcc27fa7a61310b73408a79523d0449 Severity: medium
Description: Description\ DepositBatch - multiTokenSwapAndTransfer function deposit tokens where it assumes all the tokens are tranferred from the user.
This is not true if we consider the some token which charge fee while transfer.
Attack Scenario\
when user transfer the token , though the actual token amount is lesser than the actual value, the contract assumes that all token are transferred from user. This would lead to unexpected issue during token transfer handling.
Attachments