0xMaroutis - Proxy and upgradable tokens (like TUSD) can cause issues to the protocol

[sherlock-admin]

0xMaroutis

medium

Proxy and upgradable tokens (like TUSD) can cause issues to the protocol

Summary

Tokens whose code and logic can be changed in future can break the protocol and lock user funds.

Vulnerability Detail

The protocol doesn't handle fee-on-transfer/rebasing/deflationary tokens, users will be unable to trade tokens or sell shares due to not enough assets in the contract.

Impact

The protocol will be unable to pay enough tokens to users when users want to swap tokens or sell their shares.

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPFunding.sol#L92 https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L40 https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L79 https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L122

Tool used

Manual Review

Recommendation

• Consider introducing logic that will freeze/pause interactions with the token in question if an upgrade is detected
• Consider a token whitelist which does not allow such tokens.

[nevillehuang]

Invalid FOT/rebasing tokens/TUSD not supported by the protocol, as mentioned in the READ.ME.