ERC20 can have tax or be deflanatory #488
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-454
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
3 (High Risk)
c4-judge
added
downgraded by judge
|
kirk-baird changed the severity to QA (Quality Assurance) |
c4-sponsor
added
the
sponsor acknowledged
|
waynehoover marked the issue as sponsor acknowledged |
c4-judge
added
2 (Med Risk)
|
This previously downgraded issue has been upgraded by kirk-baird |
1 similar comment
|
This previously downgraded issue has been upgraded by kirk-baird |
|
kirk-baird marked the issue as duplicate of #630 |
c4-judge
added
the
satisfactory
|
kirk-baird marked the issue as satisfactory |
|
kirk-baird changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L179
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L86
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L66
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L96
Vulnerability details
Vulnerability details
A transfer-on-fee token or a deflationary/rebasing token, causing the received amount to be less than the accounted amount. For instance, a deflationary tokens might charge a certain fee for every transfer() or transferFrom()
There are two scenarios. Both of them stem from the fact that RH Quests support ANY kind of ERC20 tokens, hence it is possible that such that such a transfer-on-fee token or a deflationary/rebasing token be used in the protocol.
The first scenario is when a quest has ended, withdrawRemainingTokens is supposed to be called before the withdrawFee() function as shown in the diagram.
The formula in withdrawRemainingTokens is
uint256 nonClaimableTokens = IERC20(rewardToken).balanceOf(address(this)) - protocolFee() - unclaimedTokens;,which translates to "everything, but the protocolFee()".Then, if an ERC20 token that has a certain fee for transfer is used, the he amount available in the contract will be less than what the protocolFee() function is expecting.
As a result, the protocolFeeRecipient would never be able to call withdrawFee(), because there won't be enough tokens in balance.
The second scenario involves the claiming of token rewards through Quest.sol. Every claim initiated by a user triggers the transferRewards function. Depending on the amount of participants, even if the fee is not that high there's a point where its technically possible for the protocol to be out of balance.
As a result, all the claim requests will fail.
POC
Scenario 1
Scenario 2
Tools
Manual testing
Recommended Mitigation Steps
Make an allowlist for only specific tokens that you are aware will be working well with the logic imposed by the protocol.
The text was updated successfully, but these errors were encountered: