Unsupported fee-on-transfer tokens #294
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-367
partial-50
Comments
code423n4
added
2 (Med Risk)
|
dmvt marked the issue as duplicate of #26 |
|
dmvt marked the issue as partial-50 |
|
liveactionllama marked the issue as duplicate of #367 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/debtdao/Line-of-Credit//blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L237-L238
Vulnerability details
Impact
There are ERC20 tokens that charge fee for every transfer() or transferFrom(). When using fee-on-transfer tokens in contracts, there are some unexpected situations.
For example, in the depositAndClose function, the number of tokens received by the contract will be less than totalOwed, and then sending tokens to the lender in _close will fail due to insufficient balance.
Proof of Concept
https://github.com/debtdao/Line-of-Credit//blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L292-L311
https://github.com/debtdao/Line-of-Credit//blob/e8aa08b44f6132a5ed901f8daa231700c5afeb3a/contracts/modules/credit/LineOfCredit.sol#L483-L493
Tools Used
None
Recommended Mitigation Steps
Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the transferFrom.
The text was updated successfully, but these errors were encountered: