Fee-on-transfer / rebasing tokens lead to errors

[code423n4]

Lines of code

https://github.com/debtdao/Line-of-Credit/blob/d7ef66035ddf873b0c96804a1c9deeebb1f798ea/contracts/utils/LineLib.sol#L69
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/utils/SpigotLib.sol#L38

Vulnerability details

Impact & Proof Of Concept

The function LineLib.receiveTokenOrETH that is used in multiple places assumes that the requested transfer amount is also equal to the actual transferred amount:

if(token != Denominations.ETH) { // ERC20
            IERC20(token).safeTransferFrom(sender, address(this), amount);
}

This is not true for fee-on-transfer tokens, where the change in balance is smaller than the requested amount. This leads to problems in multiple places. For instance, in LineOfCredit.addCredit, the amount parameter is used to create the credit:

LineLib.receiveTokenOrETH(token, lender, amount);

bytes32 id = _createCredit(lender, token, amount);

When the contract does not contain this amount, there are two options:
1.) Payouts that should be possible are not possible (because the balance is not sufficient).
2.) Funds from other users are used for payouts.

Another big problem for the system are rebasing tokens. This can cause an underflow in SpigotLib._claimRevenue (because the balance is now smaller than the previously cached balance), making all calls to claim revenue revert:

uint256 existingBalance = LineLib.getBalance(token);
...

claimed = existingBalance - self.escrowed[token];

Recommended Mitigation Steps

Check the actual amount that was transferred (i.e., the difference of the balances).

[c4-judge]

dmvt marked the issue as duplicate of #26

[c4-judge]

dmvt marked the issue as satisfactory

[C4-Staff]

liveactionllama marked the issue as duplicate of #367