Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tokens with fee on transfer are not supported in TimeswapV2Option.sol #52

Closed
code423n4 opened this issue Jan 22, 2023 · 6 comments
Closed

Tokens with fee on transfer are not supported in TimeswapV2Option.sol #52

code423n4 opened this issue Jan 22, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-247 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L220
https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L259
https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L262

Vulnerability details

Some tokens take a transfer fee (e.g. STA, PAXG), some do not currently charge a fee but may do so in the future (e.g. USDT, USDC).

Should a fee-on-transfer token be used, it could be abused to mint more shares. In the current implementation, TimeswapV2Option.sol#swap() and TimeswapV2Option.sol#collect() assume that the received amount is the same as the transfer amount, and uses it to calculate funds. As a result, users will be unable to properly use the functionality of swap and collect functions due to how fee-on-transfer tokens work.

Proof Of Concept

220: IERC20(param.isLong0ToLong1 ? token0 : token1).safeTransfer(param.tokenTo, param.isLong0ToLong1 ? token0AndLong0Amount : token1AndLong1Amount);

https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L220

259: if (token0Amount != 0) IERC20(token0).safeTransfer(param.token0To, token0Amount);
262: if (token1Amount != 0) IERC20(token1).safeTransfer(param.token1To, token1Amount);

https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L259

https://github.com/code-423n4/2023-01-timeswap/tree/main/packages/v2-option/src/TimeswapV2Option.sol#L262

Recommended Mitigation Steps

  • Consider comparing before and after balance to get the actual transferred amount.
  • Alternatively, disallow tokens with fee-on-transfer mechanics to be added as reward tokens.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 22, 2023
code423n4 added a commit that referenced this issue Jan 22, 2023
@code423n4
Rolezn issue #52
dd67088
@code423n4 code423n4 changed the title Tokens with fee on transfer are not supposed in TimeswapV2Option.sol Tokens with fee on transfer are not supported in TimeswapV2Option.sol Jan 25, 2023
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Feb 2, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 2, 2023

Picodes marked the issue as primary issue

This was referenced Feb 2, 2023
Closed
Closed
Open
Closed
Closed
Closed
@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Feb 8, 2023
@c4-sponsor
Copy link

vhawk19 marked the issue as sponsor disputed

@c4-sponsor c4-sponsor added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels Feb 8, 2023
@c4-sponsor
Copy link

vhawk19 marked the issue as sponsor acknowledged

@vhawk19
Copy link

vhawk19 commented Feb 8, 2023

This is currently not supported by design

@c4-judge c4-judge added duplicate-247 and removed primary issue Highest quality submission among a set of duplicates labels Feb 12, 2023
@c4-judge
Copy link
Contributor

Picodes marked issue #247 as primary and marked this issue as a duplicate of 247

@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-247 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vhawk19 @code423n4 @c4-judge @c4-sponsor