Incompatibility With Fee-On-Transfer Tokens

The protocol is incompatible with Fee-On-Transfer tokens.

Vulnerability Detail

If fee-on-transfer tokens are used to fund a pool, there will be a difference between the actual amount in the pool and the amount in the accounting, the pool will account for a larger amount than it actually has.

At a later time, if we try to withdraw() or distribute() the full amount, it will revert since there are actually not that many tokens in the strategy as what the accounting says there are.

Impact

Accounting shows more than actual balance of strategy. The TREASURY also receives less fee.

Code Snippet

function _fundPool(uint256 _amount, uint256 _poolId, IStrategy _strategy) internal {
        uint256 feeAmount;
        uint256 amountAfterFee = _amount;

        Pool storage pool = pools[_poolId];
        address _token = pool.token;

        if (percentFee > 0) {
            feeAmount = (_amount * percentFee) / getFeeDenominator();
            amountAfterFee -= feeAmount;

            _transferAmountFrom(_token, TransferData({from: msg.sender, to: treasury, amount: feeAmount}));
        }

        _transferAmountFrom(_token, TransferData({from: msg.sender, to: address(_strategy), amount: amountAfterFee}));

        _strategy.increasePoolAmount(amountAfterFee);

        emit PoolFunded(_poolId, amountAfterFee, feeAmount);
    }

Tool used

VSCode Manual Review

Recommendation

Add logic to transfer/transferFrom to calculate exactly how many tokens were actually sent to a pool strategy address.

Duplicate of #19

sherlock-audit / 2023-09-Gitcoin-judging