Tokens with fee on transfer are not supported in AuctionRebalanceModuleV1.sol
Summary
Some tokens require a transfer fee and this if not properly implemented can lead to incorrect balances within the setToken
Vulnerability Detail
Some tokens take a transfer fee (e.g. STA, PAXG), some do not currently charge a fee but may do so in the future (e.g. USDT, USDC). In the current implementation, it is assumed that the received amount is the same as the transfer amount. However, due to how fee-on-transfer tokens work, much less will be received than what was transferred.
Impact
i.e. Fee-on-transfer scenario:
Contract calls transfer from contractA 100 tokens to current contract
Current contract thinks it received 100 tokens
It updates balances to increase +100 tokens
While actually contract received only 90 tokens
That breaks whole math for given token
Consider comparing before and after balance to get the actual transferred amount. Alternatively, disallow tokens with fee-on-transfer mechanics to be added as tokens.
0xcc
medium
Tokens with fee on transfer are not supported in AuctionRebalanceModuleV1.sol
Summary
Some tokens require a transfer fee and this if not properly implemented can lead to incorrect balances within the setToken
Vulnerability Detail
Some tokens take a transfer fee (e.g. STA, PAXG), some do not currently charge a fee but may do so in the future (e.g. USDT, USDC). In the current implementation, it is assumed that the received amount is the same as the transfer amount. However, due to how fee-on-transfer tokens work, much less will be received than what was transferred.
Impact
i.e. Fee-on-transfer scenario: Contract calls transfer from contractA 100 tokens to current contract Current contract thinks it received 100 tokens It updates balances to increase +100 tokens While actually contract received only 90 tokens That breaks whole math for given token
Code Snippet
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L940
Tool used
Manual Review
Recommendation
Consider comparing before and after balance to get the actual transferred amount. Alternatively, disallow tokens with fee-on-transfer mechanics to be added as tokens.