Bauer
medium
The protocol do not support fee-on-transfer tokens. If collateral token is a fee-on-transfer token, tokens received from users could be less than the amount specified in the transfer.
The _deposit() function in CollateralManager.sol receives tokens from borrower with amount collateralInfo._amount . If collateral token is a fee-on-transfer token then the actual amount received by CollateralManager.sol is less than collateralInfo._amount.Inside the function, when calling collateralEscrow.depositAsset to deposit the token to escrow contract, the amount in the function parameter is also collateralInfo._amount, so the transaction may fail or be deposited to escrow contract with the funds from the CollateralManager protocol.
function _deposit(uint256 _bidId, Collateral memory collateralInfo)
internal
virtual
{
require(collateralInfo._amount > 0, "Collateral not validated");
(address escrowAddress, address borrower) = _deployEscrow(_bidId);
ICollateralEscrowV1 collateralEscrow = ICollateralEscrowV1(
escrowAddress
);
// Pull collateral from borrower & deposit into escrow
if (collateralInfo._collateralType == CollateralType.ERC20) {
IERC20Upgradeable(collateralInfo._collateralAddress).transferFrom(
borrower,
address(this),
collateralInfo._amount
);
IERC20Upgradeable(collateralInfo._collateralAddress).approve(
escrowAddress,
collateralInfo._amount
);
collateralEscrow.depositAsset(
CollateralType.ERC20,
collateralInfo._collateralAddress,
collateralInfo._amount,
0
);
The protocol could suffer a loss of funds.
Manual Review
Consider checking the balance of the contract before and after token transfers and using instead of the amount specified in the contract.