You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The functions timeLockERC20 and timeUnlockERC20 do not consider deflationary tokens, which burn a percentage of the transferred amount during transfers. In that case, time-locked deflationary ERC20 tokens cannot be unlocked (by timeUnlockERC20) nor transferred out of the vault (by transferERC20), since the transferred amount exceeds the vault's balance.
In function timeLockERC20, after the function transferFrom, the vault should get the actual receieved amount by token.balanceOf(address(this)).sub(tokenAmountBeforeTransfer).
The text was updated successfully, but these errors were encountered:
Handle
shw
Vulnerability details
Impact
The functions
timeLockERC20
andtimeUnlockERC20
do not consider deflationary tokens, which burn a percentage of the transferred amount during transfers. In that case, time-locked deflationary ERC20 tokens cannot be unlocked (bytimeUnlockERC20
) nor transferred out of the vault (bytransferERC20
), since the transferred amount exceeds the vault's balance.Proof of Concept
Referenced code:
Visor.sol#L583-L639
Tools Used
None
Recommended Mitigation Steps
In function
timeLockERC20
, after the functiontransferFrom
, the vault should get the actual receieved amount bytoken.balanceOf(address(this)).sub(tokenAmountBeforeTransfer)
.The text was updated successfully, but these errors were encountered: