Closed sherlock-admin closed 1 year ago
Invalid, we don't allow tokens with transfer fees to be listed on a vault per this exact issue.
This was in the original code, tokens with transfer fees are explicitly prevented: https://github.com/notional-finance/contracts-v2/blob/a4ffd1f5efc9fb2210afd002ecb1fd7e4e28e4ea/contracts/internal/vaults/VaultConfiguration.sol#L232-L237
xiaoming90
medium
Unable To Recover Funds From Account
Summary
Due to how tokens with a transfer fee are handled within the custom
transfer
function, it is not possible for Notional to recover funds from the account.Vulnerability Detail
The following
transfer
function is used within theVaultConfiguration._redeem
function. Under normal circumstances, theactualTransferExternal
returned is equal to thenetTransferExternal
. On Line 210-215, if the token has a transfer fee, thenetDeposit
will be returned instead. Note that thenetDeposit
will always be less than thenetTransferExternal
and this will be the root cause of this issue.https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/balances/TokenHandler.sol#L190
Within the
VaultConfiguration._redeem
function, the above-mentionedtransfer
function will be triggered at Line 643 if theamountTransferred < underlyingExternalToRepay
. This code block will execute if there are insufficient strategy tokens to repay debts and Notional will attempt to recover the remaining tokens from the account directly.Assume that at Line 623, the value of state variables are as follows:
underlyingExternalToRepay = 100
amountTransferred = 90
Since
amountTransferred < underlyingExternalToRepay
is true,residualRequired
will be set to 10 at Line 628.At Line 643, it will attempt to recover the
residualRequired
(10) amount of tokens from the account. Assume that this token has a transfer fee, the actual amount received by Notional is 8 tokens. Thus, thenetDeposit
will be8,
and subsequently, theactualTransferExternal
will be set to8
.At Line 646, the following code will be executed, and therefore the
amountTransferred
will be set to98
At Line 651, the following code will always be evaluated as
False
and cause a revert because theamountTransferred
will never be equal or larger thanunderlyingExternalToRepay
if the token has a transfer fee.https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L578
Impact
The protocol is unable to recover funds from the account if the token has a transfer fee.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/balances/TokenHandler.sol#L190 https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L578
Tool used
Manual Review
Recommendation
Consider implementing any of the following mitigations:
transfer
function used at Line 643 and the require check at Line 651 within theVaultConfiguration._redeem
function accordingly so that they are in sync.