Platform: Code4rena
Start Date: 10/05/2022
Pot Size: $50,000 USDC
Total HM: 13
Participants: 100
Period: 5 days
Judge: HardlyDifficult
Total Solo HM: 1
Id: 122
League: ETH
Rank: 99/100
Findings: 1
Award: $10.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1337
Also found by: 0x52, 0xDjango, 0xsanson, BondiPestControl, BowTiedWardens, GimelSec, IllIllI, MaratCerby, MiloTruck, PPrieditis, TrungOre, VAD37, WatchPug, berndartmueller, cccz, dipp, hake, hickuphh3, horsefacts, hubble, minhquanym, reassor, shenwilly, smiling_heretic
10.8874 USDC - $10.89
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L16-L17
There are ERC20 tokens that may make certain customizations to their ERC20 contracts. One type of these tokens is deflationary tokens that charge a certain fee for every transfer() or transferFrom(). Others are rebasing tokens that increase in value over time like Aave's aTokens (balanceOf changes over time).
All Cally functions are making assumption that there are no fee-on transfer tokens so calculations will be wrong for such tokens.
Measure the asset change right before and after the asset-transferring routines, example, from https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/legacy/MetaVault.sol#L393-L400
Or clearly state that fee-on transfer tokens are not supported.
#0 - outdoteth
2022-05-15T17:17:15Z
reference issue: https://github.com/code-423n4/2022-05-cally-findings/issues/39