Timeswap contest - Ruhum's results

Handle

Ruhum

Vulnerability details

Impact

There are ERC20 tokens that collect fees with each transfer. If the asset or collateral used in a pair is of that type, the Convenience contract fails to function. It always sends the flat amount specified in the function's parameter. If the token collects fees, the amount the Pair contract receives is less than it expects to get and reverts the transaction.

Proof of Concept

The function used to trigger the callback function and verify the received value: https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/libraries/Callback.sol#L50

Convenience contract's callback function uses the amount specified in collateralIn in the transfer function: https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Convenience/contracts/TimeswapConvenience.sol#L535

If the token collects fees, the value the Pair contract receives will be less than collateralIn. The following require statement will fail: https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/libraries/Callback.sol#L52

The same thing applies to all the other callback functions in the library.

This issue doesn't impact the Pair contract itself. Because of the safety checks for each callback, the contract always receives the amount it expects or the transaction is reverted. Meaning, the user has to adapt and cover the fees themselves. The convenience contract doesn't do that and thus always fails.

The only issue would be outgoing transfers. For example, if a borrower pays back their debt, the pair contract receives the correct amount. But, the borrower will receive less collateral because of the fees. Since there's no such check in those cases: https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/TimeswapPair.sol#L374

Tools Used

none

Recommended Mitigation Steps