LendgineRouter.mint() will always fail if collateral is a fee-on-transfer token #167

code423n4 · 2023-02-01T13:09:20Z

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/LendgineRouter.sol#L142-L169
https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/LendgineRouter.sol#L87-L124
https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L95-L99

Vulnerability details

Impact

In LendgineRouter.sol, mintCallback() will transfer token1 (collateral) to Lendgine.sol contract upon minting of Power Tokens. If token1 is a fee-on-transfer token, these transfers will incur fees and the recipient (Lendgine.sol) will receive a deducted amount that is less than the collateral amount, causing the mint to always fail.

As Numoen is permissionless, anyone can create a pool with fee-on-transfer ERC20 tokens. Example of these fee-on-transfer tokens are STA and PAXG. And some tokens (e.g. USDT) has fee-on-transfer support disabled currently but may enable it in the future.

Proof of Concept

Start by calling LengineRouter.mint() to trigger the mintCallback() function.

https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/LendgineRouter.sol#L142-L169

mintCallback() will initiate token1 transfers to Lendgine contract (which is the msg.sender) via swap(), SafeTransferLib.safeTransfer() and pay(). Lendgine contract will receive a reduced amount due to fee deduction on transfer.

https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/LendgineRouter.sol#L87-L124

As Lendgine contract is expecting the full amount of collateral to be received based on the balance increase, the mint transaction will revert.

uint256 balanceBefore = Balance.balance(token1);
IMintCallback(msg.sender).mintCallback(collateral, amount0, amount1, liquidity, data);
uint256 balanceAfter = Balance.balance(token1);

if (balanceAfter < balanceBefore + collateral) revert InsufficientInputError();

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L95-L99

Recommended Mitigation Steps

One potential mitigation is to take into account the transfer fee during the transfer request. Another option is to block these customised tokens.

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-02-07T18:23:02Z

berndartmueller marked the issue as duplicate of #263

c4-judge · 2023-02-16T09:50:18Z

berndartmueller marked the issue as satisfactory

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 1, 2023

code423n4 added a commit that referenced this issue Feb 1, 2023

peakbolt issue #167

0cf51d3

c4-judge closed this as completed Feb 7, 2023

c4-judge added the duplicate-263 label Feb 7, 2023

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LendgineRouter.mint() will always fail if collateral is a fee-on-transfer token #167

LendgineRouter.mint() will always fail if collateral is a fee-on-transfer token #167

code423n4 commented Feb 1, 2023

c4-judge commented Feb 7, 2023

c4-judge commented Feb 16, 2023

LendgineRouter.mint() will always fail if collateral is a fee-on-transfer token #167

LendgineRouter.mint() will always fail if collateral is a fee-on-transfer token #167

Comments

code423n4 commented Feb 1, 2023

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

c4-judge commented Feb 7, 2023

c4-judge commented Feb 16, 2023