Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-09-VTVL-FINDINGS-ISSUES-424
HistorySep 23, 2022 - 12:00 a.m.

Fee on transfer tokens can make users receive less than they are supposed to

2022-09-2300:00:00
Code4rena
github.com
15
vulnerability
tokens
transfer fee
user impact
proof of concept
mitigation steps
JSON

Lines of code

Vulnerability details

Impact

Some tokens take a transfer fee (e.g. STA, PAXG). Tokens like these will be supported because the vested amount will be the amount that was actually transferred (i.e. the balance of the contract after the transfer), but it will cause the user to receive less than the amount he was supposed to receive.

Proof of Concept

Let’s assume the VTVLVesting contract is deployed with the STA token, which takes a 1% transfer fee.

  1. The admin transfers 101.01 STA ( = 100 / 0.99, so after the transferred amount will be 100 STA) to the contract so it’s balance after the transfer is 100 STA.
  2. The admin creates a claim for Alice using 100 STA.
  3. The linear vesting end timestamp is over and Alice calls the claim function, but she receives only 1% of it, which is 99 STA. This is the amount she was supposed to get after 99% of her linear vesting time has passed.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider support fee on transfer tokens in a special way that allows transfer of more tokens to match the amount, or write it down so users will know to pre-calculate the amounts from the beginning

The text was updated successfully, but these errors were encountered:

All reactions

JSON