Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deflationary tokens are not considered in time-locked ERC20 functions #78

Open
code423n4 opened this issue May 20, 2021 · 1 comment
Open
Labels
1 (Low Risk) bug Something isn't working

Comments

@code423n4
Copy link
Contributor

Handle

shw

Vulnerability details

Impact

The functions timeLockERC20 and timeUnlockERC20 do not consider deflationary tokens, which burn a percentage of the transferred amount during transfers. In that case, time-locked deflationary ERC20 tokens cannot be unlocked (by timeUnlockERC20) nor transferred out of the vault (by transferERC20), since the transferred amount exceeds the vault's balance.

Proof of Concept

Referenced code:
Visor.sol#L583-L639

Tools Used

None

Recommended Mitigation Steps

In function timeLockERC20, after the function transferFrom, the vault should get the actual receieved amount by token.balanceOf(address(this)).sub(tokenAmountBeforeTransfer).

@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels May 20, 2021
code423n4 added a commit that referenced this issue May 20, 2021
@ghost
Copy link

ghost commented Jun 16, 2021

sponsor acknowledged
True. We are not planning on serving rebasing tokens in this case

@ghost ghost closed this as completed Jun 16, 2021
@ninek9 ninek9 reopened this Jul 21, 2021
@loudoguno loudoguno reopened this Aug 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1 (Low Risk) bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants