ElasticSwap contest - cmichel's results

Handle

cmichel

Vulnerability details

The Exchange.addLiquidity function has code to catch and reject fee-on-transfer tokens:

if (tokenQtys.baseTokenQty != 0) {
    bool isExchangeEmpty =
        IERC20(baseToken).balanceOf(address(this)) == 0;

    // transfer base tokens to Exchange
    IERC20(baseToken).safeTransferFrom(
        msg.sender,
        address(this),
        tokenQtys.baseTokenQty
    );

    if (isExchangeEmpty) {
        // @audit only executed once at the beginning
        require(
            IERC20(baseToken).balanceOf(address(this)) ==
                tokenQtys.baseTokenQty,
            "Exchange: FEE_ON_TRANSFER_NOT_SUPPORTED"
        );
    }
}

However, the check is only executed at the initial liquidity provision, when the exchange has zero tokens (isExchangeEmpty). This does not reliably catch fee-on-transfer tokens because:

1. The initial liquidity add could be done with a token amount of 1 where the transfer fees would usually be zero.
2. The fees can be dynamic and be turned on only after the initial liquidity provision.

Impact

The provided protection does not work correctly and can easily be bypassed.

Recommended Mitigation Steps

Consider using the actual received amount as the baseTokenQty by comparing post- and pre-transfer balances.