SoK: Current State of Ethereum'S Enshrined Proposer Builder Separation

Initially introduced to Ethereum via Flashbots' MEV-boost, Proposer-Builder Separation allows proposers to auction off blockspace to a market of transaction orderers, known as builders. PBS is currently available to validators through the aforementioned MEV-boost, but its unregulated and...

mint() function logic will break with fee-on-transfer(deflationary) tokens

Lines of code Vulnerability details Impact with deflationary token mint function never succeed Proof of Concept mint function checking if balanceAfter totalLiquidity revert CompleteUtilizationError; // next check is for the case when liquidity is borrowed but then was completely accrued if...

Fee on transfer tokens will not behave as expected

Lines of code Vulnerability details Impact In Numoen, it does not specifically restrict the type of ERC20 collateral used for borrowing. If fee on transfer tokens is/are entailed, it will specifically make mint revert in Lendgine.sol when checking if balanceAfter balanceBefore + collateral. Proof...

Fee on transfer tokens will not behave as expected

Lines of code Vulnerability details Impact According to Whitepaper 1.1 Permissionless: "In Timeswap, liquidity providers can create pools for any ERC20 pair, without permission. It is designed to be generalized and works for any pair of tokens, at any time frame, and at any market state ... If fe...

A transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every safetransfer() or safetransferFrom().

Lines of code Vulnerability details Impact ALice calls stakeamount = 100 deflationary Tokens. Because the token has a fee upon transfer, StRSR receives only 99 tokens and staked that amount to mint but user thought that receives 100 tokens . But reality token received for stRSR only 99 . Proof of...

No Allowlist For Bridgeable ERC-20 Tokens

Lines of code Vulnerability details Vulnerability Details We noticed that the deposit function of the L1ERC20Bridge contract code snippet 1 permits a user to bridge any ERC-20 tokens including deflationary and rebase tokens from the L1 to the L2 network. We considered that permitting non-standard...

The protocol doesn't support fee-on transfer tokens

Lines of code Vulnerability details Impact There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer functions. So if the implementing contract doesn't takes this fee into...

DoS with underlying Rebasing/Deflationary tokens

Lines of code Vulnerability details M -01 Issues with underlying Rebasing/Deflationary tokens Problem When underlying token is Rebasing/Deflationary at some point users will not be able to withdraw, because of the rebasing mechanics balance of tokens of the smart contract may change over time and...

Inconsistent balance when fee-on transfer tokens.

Lines of code Vulnerability details Impact There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Proof of...

token transfers in LiquidityReserve and Staking contract don't support deflationary ERC20 tokens, and user funds can be lost if stacking token was deflationary

Lines of code Vulnerability details Impact if the token is deflationary then contract will receive less token that requested amount but contract don't check for the real transferred amount. because this is happening in receiving stackingtoken in addLiquidity of LiquidityReserve and stake of Staki...

functions deposit() and notifyRewardAmount() in Bribe and Gauge contract don't consider deflationary tokens when transferring

Lines of code Vulnerability details Impact The actual amount that has been transferred can be different than requested amount in deflationary tokens and this is not been addressed in transferring logic in the code. This can cause wrong calculation and rewards distribution for users. Proof of...

BathToken.sol#_deposit() attacker can mint more shares with re-entrancy from hookable tokens

Lines of code Vulnerability details BathToken.soldeposit calculates the actual transferred amount by comparing the before and after balance, however, since there is no reentrancy guard on this function, there is a risk of re-entrancy attack to mint more shares. Some token standards, such as ERC77...

ExtraRewardsDistributor deposits don’t work with fee-on transfer tokens

Lines of code Vulnerability details Impact There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every safetransfer or safetransferFrom . Proof of Concept The ExtraRewardsDistributor’s...

Incorrect accounting on transfer-on-fee/deflationary tokens in Gravity contract

Lines of code Vulnerability details Impact The sendToCosmos function of Gravity transfers amount of tokenContract from the sender using the function transferFrom. If the transferred token is a transfer-on-fee/deflationary token, the actually received amount could be less than amount. However, sin...

The sendToCosmos function does not check for transfer-on-fee/deflationary tokens

Lines of code Gravity.solL595-L609 Vulnerability details Impact The documentation describes the use of tokens other than CUDOS in the Gravity.sol contract; so it is assumed that the CUDOS token will not be the only supported token. The documentation also states that validators on the Tendermint...

Inconsistent balance when supplying fee-on transfer tokens

Lines of code Vulnerability details Impact There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Proof of Concept AaveV3YieldSource.solL237 Tools Used Manu...

Fee-on-transfer/rebalancing tokens are not supported

Lines of code Vulnerability details Impact Some ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Others are rebasing tokens that increase in value over ti...

Vaults don't work with fee-on transfer tokens

Handle cmichel Vulnerability details Certain ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Impact The Vault.addValueBatch functions will recive less...

Support of deflationary / rebasing tokens

Handle pauliax Vulnerability details Impact Deflationary fee on transfer / rebasing tokens are not supported. Because anyone can createPromotion with an arbitrary token, such tokens may be lost forever. Recommended Mitigation Steps Consider checking the actual amounts transferred balance...

Bonding doesn't work with fee-on transfer tokens

Handle cmichel Vulnerability details Certain ERC20 tokens make modifications to their ERC20's transfer or balanceOf functions. One type of these tokens is deflationary tokens that charge a certain fee for every transfer or transferFrom. Impact The Bonding.bond function will revert in the...