Deposits don't work with ERC20 tokens that has fee-on-transfer/re-basing mechanism #442
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-424
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L251-L265
https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L19-L36
Vulnerability details
Impact
The vaults supports ERC20 tokens as the underlying assets but does not appear to handle customised ERC20 tokens that supports fee-on-transfer or rebasing mechanism.
There are fee-on-transfer ERC20 tokens that are deflationary and charges a fee on every transfer (e.g. STA, PAXG). And some tokens (e.g. USDT) has fee-on-transfer support disabled currently but may enable it in the future.
Also, there could be re-basing ERC20 tokens that have their value increased over time like Aave's aToken (where balanceOf changes over time).
Refer to the deposit() functions in PublicVault.sol and ERC4626-Cloned.sol below.
https://github.com/code-423n4/2023-01-astaria/blob/main/src/PublicVault.sol#L251-L265
https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626-Cloned.sol#L19-L36
Recommended Mitigation Steps
One potential mitigation is to check the amount of token deposited by the contract after transfer. Another option is to block these customised tokens.
The text was updated successfully, but these errors were encountered: