rvierdiiev - Protocol doesn't work proper with fee-on-transfer tokens

[sherlock-admin]

rvierdiiev

medium

Protocol doesn't work proper with fee-on-transfer tokens

Summary

When fee-on-transfer tokens will be used for staking then protocol will lost some funds.

Vulnerability Detail

Some ERC20 tokens may take fee when transfer assets.
This is how deposit function works.

function deposit(uint256 _amount, uint256 _duration, address _receiver) external override {
        if (_amount == 0) {
            revert ZeroAmountError();
        }
        // Don't allow locking > maxLockDuration
        uint256 duration = _duration.min(maxLockDuration);
        // Enforce min lockup duration to prevent flash loan or MEV transaction ordering
        duration = duration.max(MIN_LOCK_DURATION);

        depositToken.safeTransferFrom(_msgSender(), address(this), _amount);

        uint256 mintAmount = _amount * getMultiplier(duration) / 1e18;

        depositsOf[_receiver].push(Deposit({
            amount: _amount,
            shareAmount: mintAmount,
            start: uint64(block.timestamp),
            end: uint64(block.timestamp) + uint64(duration)
        }));

        _mint(_receiver, mintAmount);
        emit Deposited(_amount, duration, _receiver, _msgSender());
    }

After token transfering it doesn't check how the balance increased. Provided by user _amount param is saved to the Deposit struct. Also share amount that is minted depends on _amount param.

The same is for increaseLock function.
When user withdraw then saved amount is transferred back.

Impact

Protocol calculates more deposited tokens for the depositor. When people will start withdrawing their staked funds some of them can be left without some part. Also protocol mints a bigger share for the depositor.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Check balance before and after sending tokens to the pool. Use the difference as provided amount.