UbiquityDollarToken: Incentives will get applied twice if the sender is the same as the recipient
Summary
UbiquityDollarToken is a standard ERC20 token, however incentives may get triggered on transfer. These incentives will get triggered twice if the sender is the same as the recipient.
Vulnerability Detail
The function _checkAndApplyIncentives()'s logic is that, if the incentive contract for the sender, recipient, or operator is set, then incentives are triggered.
While the operator's incentive has a check that it only triggers if it's different from the sender or recipient:
However there's no check for when recipient is the same as sender
address recipientIncentive = incentiveContract[recipient];
if (recipientIncentive != address(0)) { // recipient may be the same as sender
IIncentive(recipientIncentive).incentivize(
sender,
recipient,
_msgSender(),
amount
);
}
Since this token inherits OZ's standard ERC20, which supports loop transfer, incentives will get triggered twice.
We identify that this behavior is likely unintended, because operator's incentive isn't triggered if the operator is the same as either the sender or recipient. However it still triggers the second time if sender is the same as recipient.
Impact
Incentivize will trigger twice if the sender is the same as the recipient. This will likely cause wrong incentives accounting.
UbiquitousComputing
medium
UbiquityDollarToken: Incentives will get applied twice if the sender is the same as the recipientSummary
UbiquityDollarTokenis a standard ERC20 token, however incentives may get triggered on transfer. These incentives will get triggered twice if the sender is the same as the recipient.Vulnerability Detail
The function
_checkAndApplyIncentives()'s logic is that, if the incentive contract for the sender, recipient, or operator is set, then incentives are triggered.While the operator's incentive has a check that it only triggers if it's different from the sender or recipient:
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/core/UbiquityDollarToken.sol#L112-L124
However there's no check for when recipient is the same as sender
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/core/UbiquityDollarToken.sol#L101-L109
Since this token inherits OZ's standard ERC20, which supports loop transfer, incentives will get triggered twice.
We identify that this behavior is likely unintended, because operator's incentive isn't triggered if the operator is the same as either the sender or recipient. However it still triggers the second time if sender is the same as recipient.
Impact
Incentivize will trigger twice if the sender is the same as the recipient. This will likely cause wrong incentives accounting.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/core/UbiquityDollarToken.sol#L90-L109
Tool used
Manual Review
Recommendation
Check that the sender is different from the recipient, before applying the second incentive.
Duplicate of #8