search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

p0wd3r - `fundPool` does not work with fee-on-transfer token #19

Open sherlock-admin2 opened 1 year ago

sherlock-admin2 commented 1 year ago

p0wd3r

medium

fundPool does not work with fee-on-transfer token

fundPool does not work with fee-on-transfer token

Vulnerability Detail

In _fundPool, the parameter for increasePoolAmount is directly the amount used in the transferFrom call.

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L516-L517

        _transferAmountFrom(_token, TransferData({from: msg.sender, to: address(_strategy), amount: amountAfterFee}));
        _strategy.increasePoolAmount(amountAfterFee);

When _token is a fee-on-transfer token, the actual amount transferred to _strategy will be less than amountAfterFee. Therefore, the current approach could lead to a recorded balance that is greater than the actual balance.

Impact

fundPool does not work with fee-on-transfer token

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Allo.sol#L516-L517

Tool used

Manual Review

Recommendation

Use the change in _token balance as the parameter for increasePoolAmount.

MLON33 commented 1 year ago

https://github.com/allo-protocol/allo-v2/pull/355

quentin-abei commented 1 year ago

Should consider choosing this issue for report : 30 It's better detailed and have an actual working coded PoC

jack-the-pug commented 1 year ago

Fixed.