Fee on transfer tokens will not behave as expected #247
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-03
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2023-01-timeswap/blob/main/packages/v2-option/src/TimeswapV2Option.sol#L145-L148
https://github.com/code-423n4/2023-01-timeswap/blob/main/packages/v2-option/src/TimeswapV2Option.sol#L235
Vulnerability details
Impact
According to Whitepaper 1.1 Permissionless:
"In Timeswap, liquidity providers can create pools for any ERC20 pair, without permission. It is designed to be generalized and works
for any pair of tokens, at any time frame, and at any market state ...
If fee on transfer token(s) is/are entailed, it will specifically make
mint()
andswap()
revert in TimeswapV2Option.sol when checking if the token0 or token1 balance target is achieved.Proof of Concept
File: TimeswapV2Option.sol#L144-L148
File: TimeswapV2Option.sol#L234-L235
File: Error.sol#L148-L153
As can be seen from the code blocks above,
checkEnough()
is meant to be reverting when token amount has not been received. But in the case of deflationary tokens, the error is going to be thrown even though the token amount has been received due to the fee factor makingbalance < balanceTarget
, i.e the contract balance of token0 and/or token1 always less thancurrentProcess.balance0Target
orcurrentProcess.balance1Target
.Tools Used
Manual inspection
Recommended Mitigation Steps
Consider:
token0AndLong0Amount
ortoken1AndLong1Amount
) if deflationary token is going to be allowed in the protocol.The text was updated successfully, but these errors were encountered: