GHSA-725G-W329-G7QR kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification

Summary When a user pays transaction fees using a Token-2022 token with a TransferFeeConfig extension, Kora's verifytokenpayment credits the full raw transfer amount as the payment value. However, the on-chain SPL Token-2022 program withholds a portion of that amount as a transfer fee, so the...

kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification

Summary When a user pays transaction fees using a Token-2022 token with a TransferFeeConfig extension, Kora's verifytokenpayment credits the full raw transfer amount as the payment value. However, the on-chain SPL Token-2022 program withholds a portion of that amount as a transfer fee, so the...

User funds may be blocked if tokens with a transfer fee are used as the underlyingToken

Lines of code Vulnerability details Impact The user can create rights token pair pulling underlying token. To do this, it calls the create function . During the execution of the function, the user sends tokens to the contract address . If an ERC20 token is used as a tokenContract, then the...

Fee on transfer tokens will cause users to lose funds

Lines of code Vulnerability details Impact Some ERC20 tokens allow for charging a fee any time transfer or transferFrom is called. If a contract does not allow for amounts to change after transfers, subsequent transfer operations based on the original amount will revert due to the contract having...

A transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every safetransfer() or safetransferFrom().

Lines of code Vulnerability details Impact ALice calls stakeamount = 100 deflationary Tokens. Because the token has a fee upon transfer, StRSR receives only 99 tokens and staked that amount to mint but user thought that receives 100 tokens . But reality token received for stRSR only 99 . Proof of...

Fee on transfer based collateral is not considered.

Lines of code Vulnerability details Impact It has following impacts. 1. backingManager would be transferred with lesser than deposits 2. Recorded liabilities will be more 3. collateral deposited into the RToken contract would be lesser than deposits Proof of Concept Any one can mint RToken by...

Logic in LineLib does not work correctly with fee-on-transfer tokens

Lines of code Vulnerability details Proof of Concept Some tokens take a transfer fee e.g. STA, PAXG, some do not currently charge a fee but may do so in the future e.g. USDT, USDC. The code currently receives ERC20 tokens but does not account for the potential fees paid in the transfer. If such a...

Minting LP for a token pair that contains a fee on transfer token will cause partial loss of funds for other token in pair

Lines of code Vulnerability details Impact Partial loss of funds for other token in pair with fee on transfer token Proof of Concept AlgebraPool.solL458-L467 liquidityActual = liquidityDesired; if receivedAmount0 amount0 liquidityActual = uint128FullMath.mulDivuint256liquidityActual,...

Fee on transfer tokens can make users receive less than they are supposed to

Lines of code Vulnerability details Impact Some tokens take a transfer fee e.g. STA, PAXG. Tokens like these will be supported because the vested amount will be the amount that was actually transferred i.e. the balance of the contract after the transfer, but it will cause the user to receive less...

Tokens with fee on transfer are not supported

Lines of code Vulnerability details Impact There are ERC20 tokens that charge fee for every transfer or transferFrom. If this tokens are unsupported, ensure there is proper documentation about it. Proof of Concept 6 instances in 2 files: contracts/shutdown/fuse/RariMerkleRedeemer.sol...

Upgraded Q -> M from 74 [1654474884998]

Judge has assessed an item in Issue 74 as Medium risk. The relevant finding follows: Protocol does not support fee-on-transfer tokens The tokenIdOrAmount established in createVault prevents buyers from exercise their option because addressthis holds less than tokenIdOrAmount due to the transfer...

Bribe.sol Tokens with fee on transfer are not supported

Lines of code Vulnerability details There are ERC20 tokens that charge fee for every transfer or transferFrom. In the current implementation, Bribe.solnotifyRewardAmount assumes that the received amount is the same as the transfer amount, and uses it to calculate reward amounts. As a result, in...

Protocol doesn't handle fee on transfer tokens

Lines of code Vulnerability details Impact Since the borrower is able to specify any asset token, it is possible that loans will be created with tokens that support fee on transfer. If a fee on transfer asset token is chosen, the protocol will contain a point of failure on the original lend call...

Tokens with fee on transfer are not supported

Lines of code Vulnerability details There are ERC20 tokens that charge fee for every transfer / transferFrom. Vault.soladdValue assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. But, the actual transferred amount can ...

Fee-on transfer tokens not supported

Handle pmerkleplant Vulnerability details Impact There exist ERC20 tokens that charge a fee for every transfer. This kind of token does not work correctly with the PoolTemplate::deposit function. Proof of Concept The PoolTemplate::deposit function mints an amount of iTokens based on the function'...

_transferAndCheckUnderlying doesn't work with fee-on-transfer tokens

Handle harleythedog Vulnerability details Impact There are several ERC20 tokens that take a small fee on transfers/transferFroms known as "fee-on-transfer" tokens. Most notably, USDT is an ERC20 token that has togglable transfer fees, but for now the fee is set to 0 see the contract here: . In th...

TwabRewards: fee on transfer token as promotion token will block at least one epoch reward claim

Handle GiveMeTestEther Vulnerability details Impact If the promotion token applies transfer fees, the total amount to claim will be less than "tokensPerEpoch numberOfEpochs" bcs a part of this amount is the fee = funds + fee, but only the "funds" can be withdrawn but the calculation in...

TwabRewards: fee on transfer token as promotion token can make claimRewards() fail

Handle GiveMeTestEther Vulnerability details Impact If the rewards creator sets a token that applies transfer fees for the promotion token, users won't be able to claim some of their rewards because the claimRewards uses calculateRewardAmount that assumes for each epoch there are...

MixinTransfer.sol#shareKey charges extra when timePlusFee >= timeRemaining.

Handle 0x0x0x Vulnerability details Impact Users can lose extra time, when they shareKey Proof of Concept When timePlusFee timeRemaining does not hold, the fee is calculated as follow: fee = getTransferFeekeyOwner, timeRemaining; time = timeRemaining - fee; By doing so fee is also charged for the...

User can get more/less interest than required

Handle csanuragjain Vulnerability details Impact It seems that owner must not get interest for transfer fee which is collected using transferNotionalFee No interest is calculated on owner side before reducing the owner notional amount But this can simply be bypassed if owner adds new notional whi...