the mentioned variables should be marked as
private instead of public
DESCRIPTION
The OFTWithFee.sol contract has differences from LZ implementation
https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts
/token/oft/v2/fee/OFTWithFee.sol.
The original contract implements OZ’s ERC20 contract which uses
_transfer, but this contract implements Solmate’s ERC20 which doesn’t.
This contract also defines a new internal function _transfer() (L100-L105)
and as stated by the doc string it might implement token
fees, slashing,
etc if needed. This one is called from OFTWithFee.sol:_transferFrom() only
and thus used when OFT is transferred between chains.
On the other hand, OFTWithFee.sol is inherited from
solmate/tokens/ERC20.sol that has the implementation of transfer()
which doesn’t use _transfer(). In such case, if
fees/slashing/etc
mechanisms are added to _transfer() there will be discrepancies in how
token behaves when transferring in the same chain versus cross-chain.
DISCREPANCIES BETWEEN OFT CROSS-CHAIN/SAME-CHAIN TRANSFERS
SEVERITY: Low
PATH: OFTWithFee.sol:_transfer:L100-105
https://github.com/manifoldfinance/mevETH2/blob/63edde66d91c263b919fe9c21e128a382219880e/src/layerZero/oft/OFTWithFee.sol#L100-L105
REMEDIATION:
the mentioned variables should be marked as private instead of public
DESCRIPTION
The OFTWithFee.sol contract has differences from LZ implementation https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts /token/oft/v2/fee/OFTWithFee.sol. The original contract implements OZ’s ERC20 contract which uses _transfer, but this contract implements Solmate’s ERC20 which doesn’t. This contract also defines a new internal function _transfer() (L100-L105) and as stated by the doc string it might implement token fees, slashing, etc if needed. This one is called from OFTWithFee.sol:_transferFrom() only and thus used when OFT is transferred between chains. On the other hand, OFTWithFee.sol is inherited from solmate/tokens/ERC20.sol that has the implementation of transfer() which doesn’t use _transfer(). In such case, if fees/slashing/etc mechanisms are added to _transfer() there will be discrepancies in how token behaves when transferring in the same chain versus cross-chain.