/// @param r The receiver of the underlying tokens being withdrawn
/// @param a The amount of underlying tokens withdrawn
function deposit(address r, uint256 a) external override returns (uint256) {
/* ~~~ */
Safe.transferFrom(IERC20(underlying), msg.sender, address(this), a);
/* ~~~ */;
}
Tool used
Manual Review
Recommendation
Ensure that to check previous balance/after balance equals to amount for any rebasing/inflation/deflation.
Create a whitelist in contracts to restrict token addresses.
Tomo
medium
Unsupported transfer-with-fee tokens
Summary
Unsupported token with fee
Vulnerability Detail
Some ERC20 tokens(e.g.
STA
,PAXG
,in the future USDC,USDT), allow for charging a fee any time transfer() or transferFrom() is called.For more detail, please read this.
https://github.com/d-xo/weird-erc20#fee-on-transfer
Assume that
XYZ
token is a fee-on-transfer token with a 10% transfer fee.Assume that the user deposits 100 XYZ tokens.
The accounting system set the amount to 100 but the actual amount of XYZ tokens received by the vault will only be 90 XYZ tokens.
Impact
Internal accounting issues occur due to not support for the fee-on-transfer or rebasing token
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L145-L169
Tool used
Manual Review
Recommendation
Ensure that to check previous balance/after balance equals to amount for any rebasing/inflation/deflation.
Create a whitelist in contracts to restrict token addresses.
Duplicate of #116