[Lines of code](https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L125) # Vulnerability details ## Impact The NFTBoostVault._lockTokens function is used to transfer the ERC20 voting token of the vault and the ERC1155 NFT to the NFTBoostVault contract after accounting for their respective votes. The issue here is that a fee-on-transfer token could get selected as the voting token of a vault. As a result the amount passed in by the user is not the actual amount received by the contract. Contract will receive an amount less than the passed in amount of the token. This will introduce accounting error to the delegatee voting power calculation as well as the registration.latestVotingPower as both of those use the amount value for their respective calculations. Further this accounting error could increase since the amount is multiplied by a multiplier in the event of a ERC1155 is locked in the vault. Hence small accounting error could increase as a result of being multiplied by a multiplier. Furthermore when the user tries to withdraw their deposited amount from the protocol, the protocol will not have enough funds to send to the owner since the initially deposited amount is less than the amount. When there are multiple user deposits in the contract, the caller will get his share of the tokens by using the funds of the other users thus reducing the other user fund allocation within the contract. ## Proof of Concept _lockTokens(msg.sender, uint256(amount), tokenAddress, tokenId, 1); _lockTokens(msg.sender, uint256(amount), address(0), 0, 0); registration.amount += amount; uint128 newVotingPower = (_amount * multiplier) / MULTIPLIER_DENOMINATOR; registration.amount = _amount; if (registration.tokenAddress != address(0) && registration.tokenId != 0) { return (locked * getMultiplier(registration.tokenAddress, registration.tokenId)) / MULTIPLIER_DENOMINATOR; } balance.data += amount; token.transferFrom(from, address(this), amount); _lockTokens(msg.sender, amount, address(0), 0, 0); ## Tools Used Manual Review and VSCode ## Recommended Mitigation Steps Hence it is recommended to transfer the voting tokens at the beginning of the NFTBoostVault.addNftAndDelegate and NFTBoostVault.airdropReceive functions by calling the _lockTokens function. The _lockTokens function should be updated as follows: uint256 balanceBefore = token.balanceOf(address(this)); token.transferFrom(from, address(this), amount); uint256 balanceAfter = token.balanceOf(address(this)); uint256 transferredAmount = balanceAfter - balanceBefore; And should use the transferredAmount for voting power calculations of the delegatee as well as of the registration. ## Assessed type Other --- The text was updated successfully, but these errors were encountered: All reactions