MasterChef.sol:: fees on transfer tokens will grieve the MasterChef protocol and the Liquidity Provider

Summary

fees on transfer tokens will grieve the MasterChef protocol.

Vulnerability Detail

Here we are passing amount direclty to modify()where the amount is added to amount[account] of the user.

    function depositOnBehalf(uint256 pid, uint256 amount, address to) external override onlyTrusted {
        _modify(pid, to, amount.toInt256(), false);

        if (amount > 0) _farms[pid].token.safeTransferFrom(msg.sender, address(this), amount); //..@audit fees on Cash Transfer , should be caluclted the real amount before passing it to modify.
    }

Only after that we are transferring the amount from msg.sender to the protocol.

if the token for that Pool is fees on transfer protocol will get an amount < less than the passed amount but at the same time while withdrawing the protocol has to transfer the passed amount.

    function withdraw(uint256 pid, uint256 amount) external override {
        _modify(pid, msg.sender, -amount.toInt256(), true);

        if (amount > 0) _farms[pid].token.safeTransfer(msg.sender, amount);
    }

This will cause the protocol and user to be in a worst situation.

Impact

fees on transfer tokens will grieve the MasterChef protocol.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MasterchefV2.sol#L284-L288 https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MasterchefV2.sol#L306-L310 https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MasterchefV2.sol#L544

Tool used

Manual Review

Recommendation

Duplicate of #545

sherlock-audit / 2024-06-magicsea-judging

dhank - MasterChef.sol:: fees on transfer tokens will grieve the MasterChef protocol and the Liquidity Provider #685