Contract is vulnerable to fee-on-transfer accounting-related issues
Summary
If the token is a fee-on-transfer token, the balance after the transfer will be smaller than expected, leading to accounting issues.
Vulnerability Detail
The functions (deposit, withdraw and depositForPartyB) transfer funds via safetransferFrom(), but do not ensure that the actual number of tokens received is the same as the input amount to the transfer.
Impact
Even if there are checks later, related to a secondary transfer, an attacker may be able to use latent funds (e.g. mistakenly sent by another user) in order to get a free credit.
The recommendation is made for measuring the balance before and after the transfer, and use the difference as the amount, rather than the stated amount.
SAAJ
medium
Contract is vulnerable to fee-on-transfer accounting-related issues
Summary
If the token is a fee-on-transfer token, the balance after the transfer will be smaller than expected, leading to accounting issues.
Vulnerability Detail
The functions (deposit, withdraw and depositForPartyB) transfer funds via safetransferFrom(), but do not ensure that the actual number of tokens received is the same as the input amount to the transfer.
Impact
Even if there are checks later, related to a secondary transfer, an attacker may be able to use latent funds (e.g. mistakenly sent by another user) in order to get a free credit.
Code Snippet
https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L21 https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L38 https://github.com/sherlock-audit/2023-06-symmetrical/blob/main/symmio-core/contracts/facets/Account/AccountFacetImpl.sol#L109
Tool used
Manual Review
Recommendation
The recommendation is made for measuring the balance before and after the transfer, and use the difference as the amount, rather than the stated amount.