0xRajeev
WildCredit allows the permissionless listing of any ERC20 assets/pairs to be used in the protocol. Some of these tokens could charge a fee, add a reward or rebase over time. However, the protocol does not have the required support to handle such tokens. The necessary checks include at least verifying the amount of tokens transferred to/from contracts before and after the actual transfer to infer any fees/interest/reward/rebasing. These seem to be absent in the various functions.
Impact: Listing of rebasing/deflationary/inflationary tokens accidentally/maliciously will lead to miscalculations of protocol balances.
Severity Rationale: The severity of this is typically Low if there is functionality for an owner-based vetting/whitelisting of assets but given that there is none in this protocol, the severity is marked as Medium.
See finding <https://consensys.net/diligence/audits/2020/12/growth-defi-v1/#evaluate-all-tokens-prior-to-inclusion-in-the-system>
See finding <https://consensys.net/diligence/audits/2021/03/umbra-smart-contracts/#document-token-behavior-restrictions>
Manual Analysis
Add necessary checks including at least verifying the amount of tokens transferred to/from contracts before and after the actual transfer to infer any fees/interest/reward/rebasing. Alternatively whitelist/blacklist allowed/disallowed assets.
The text was updated successfully, but these errors were encountered:
All reactions