Platform: Code4rena
Start Date: 10/03/2022
Pot Size: $75,000 USDT
Total HM: 25
Participants: 54
Period: 7 days
Judge: pauliax
Total Solo HM: 10
Id: 97
League: ETH
Rank: 49/54
Findings: 1
Award: $99.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L165-L170 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityProviders.sol#L273 https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityProviders.sol#L325
There are ERC20 tokens that charge fee for every transfers (most notably USDT, which has a toggleable fee).
LiquidityProviders.addTokenLiquidity(), LiquidityProviders.increaseTokenLiquidity(), and LiquidityPool.depositErc20() assume that the received amount will be the same as the transfer amount, while the the actual transferred amount will be lower, leading to inaccurate accounting.
In LiquidityProviders.sol this will lead to later users not being able to withdraw their deposits. In LiquidityPool.sol it will cause incorrect calculation of reward and fees.
Consider using the difference before and after the transfer as the amount to be used for accounting.
#0 - ankurdubey521
2022-03-30T11:53:01Z
Duplicate of #39
#1 - pauliax
2022-04-26T10:51:25Z