Platform: Code4rena
Start Date: 31/03/2022
Pot Size: $75,000 USDC
Total HM: 7
Participants: 42
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 102
League: ETH
Rank: 28/42
Findings: 1
Award: $130.37
π Selected for report: 0
π Solo Findings: 0
π Selected for report: rayn
Also found by: 0xDjango, 0xkatana, 0xkowloon, BouSalman, CertoraInc, Dravee, Funen, Hawkeye, IllIllI, Jujic, Kenshin, Kthere, Meta0xNull, Sleepy, TerrierLover, async, aysha, berndartmueller, catchup, cccz, cmichel, csanuragjain, danb, defsec, georgypetrov, hake, hubble, kenta, kyliek, pauliax, rfa, robee, sahar, shenwilly, teryanarmen
130.3737 USDC - $130.37
https://github.com/code-423n4/2022-03-volt/blob/main/contracts/peg/NonCustodialPSM.sol#L274-L298
The NonCustodialPSM.mint function takes a amountIn parameter but this parameter is not the actual transferred amount for fee-on-transfer / deflationary (or other rebasing) tokens. The actual deposited amount might be lower than the specified amountIn amount which will cause amountVoltOut to be calculated improperly. This will lead to the wrong amount of Volt tokens being minted.
USDT is a stable coin that can be upgraded to become a fee-on-transfer token.
Manual analysis.
Transfer the tokens first and compare pre-/after token balances to compute the actual deposited amount.
#0 - ElliotFriedman
2022-04-07T21:06:18Z
PCV deposits and the PSM will never accept tokens that have fees on transfer
#1 - ElliotFriedman
2022-04-07T21:06:26Z
or any other non standard behavior.
#2 - jack-the-pug
2022-04-17T08:49:18Z
It should be a QA issue.
#3 - JeeberC4
2022-05-03T22:14:38Z
Generating QA Report as warden didn't have one and judge downgraded issue. Preserving original title: Incompatibility with deflationary/fee-on-transfer tokens