Skip to content

Latest commit

 

History

History
44 lines (35 loc) · 2.58 KB

029.md

File metadata and controls

44 lines (35 loc) · 2.58 KB
Raw

Teeny Admiral Seagull

Medium

ERC20 Token with rebase/FOT feature

Summary

There are certain ERC20 tokens, with additional features which might result in breaking the internal accounting of the protocol

Vulnerability Detail

Boost is intended to support any kinds of ERC20 token, but has not extended the support in terms of code. Certain tokens like stETH/aAAVE has special features in their code such as rebalancing / FOT , like stETH has a 1 wei corner case . If during transferring the token goes through rebalancing or has a fee in it then the internal accounting can be broken or user might recieve less amount than intended

ManagedBudget.sol

1> allocate() https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/budgets/ManagedBudget.sol#L70 for FOT type token the next lines will always revert

 if (request.asset.balanceOf(address(this)) < payload.amount) {
                revert InvalidAllocation(request.asset, payload.amount);
            }

CGDA.Incentive.sol

While transferring tokens from the protocol to the recipient, if a rebasing occurs , the trust assumptions between users and project might be broken due to users receiving less amount due to deflation token 1> Claim():: https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L96 2> Clawback(): https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L108

Since, if the balance changed later, the returned value will be inaccurate. And the amount used before and after that specific operation might differ.

Impact

The ultimate effect will be seen during a point will be reached where the Token balance in the contract will be zero, while the internal accounting still registers that there are still amount available for users to collect

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L108 https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L96 https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/budgets/ManagedBudget.sol#L309

Tool used

Manual Review

Recommendation

check the before and after balance of token for particular operation by calling IERC20(token).balanceOf() to confirm the balance or use the relative shares of each user instead of specific amount if necessary,