The protocol is incompatible with Fee-On-Transfer tokens.
Vulnerability Detail
If fee-on-transfer tokens are used to fund a pool, there will be a difference between the actual amount in the pool and the amount in the accounting, the pool will account for a larger amount than it actually has.
At a later time, if we try to withdraw() or distribute() the full amount, it will revert since there are actually not that many tokens in the strategy as what the accounting says there are.
Impact
Accounting shows more than actual balance of strategy. The TREASURY also receives less fee.
Code Snippet
function _fundPool(uint256 _amount, uint256 _poolId, IStrategy _strategy) internal {
uint256 feeAmount;
uint256 amountAfterFee = _amount;
Pool storage pool = pools[_poolId];
address _token = pool.token;
if (percentFee > 0) {
feeAmount = (_amount * percentFee) / getFeeDenominator();
amountAfterFee -= feeAmount;
_transferAmountFrom(_token, TransferData({from: msg.sender, to: treasury, amount: feeAmount}));
}
_transferAmountFrom(_token, TransferData({from: msg.sender, to: address(_strategy), amount: amountAfterFee}));
_strategy.increasePoolAmount(amountAfterFee);
emit PoolFunded(_poolId, amountAfterFee, feeAmount);
}
Tool used
VSCode
Manual Review
Recommendation
Add logic to transfer/transferFrom to calculate exactly how many tokens were actually sent to a pool strategy address.
cats
medium
Incompatibility With Fee-On-Transfer Tokens
The protocol is incompatible with Fee-On-Transfer tokens.
Vulnerability Detail
If fee-on-transfer tokens are used to fund a pool, there will be a difference between the actual amount in the pool and the amount in the accounting, the pool will account for a larger amount than it actually has.
At a later time, if we try to
withdraw()
ordistribute()
the full amount, it will revert since there are actually not that many tokens in the strategy as what the accounting says there are.Impact
Accounting shows more than actual balance of strategy. The
TREASURY
also receives less fee.Code Snippet
Tool used
VSCode Manual Review
Recommendation
Add logic to
transfer/transferFrom
to calculate exactly how many tokens were actually sent to a pool strategy address.Duplicate of #19