Itchy Slate Rat
Medium
In the claim
function, the code assumes that the full claimAmount
specified will be received by the claimTarget
. However, for fee-on-transfer tokens, the actual amount received will be less than the amount sent. This discrepancy is not accounted for, leading to an overestimation of the totalClaimed
amount.
As stated in the README the protocol does expect interact with all weird ERC20s including USDT.
Looking at the `claim` function, fee-on-transfer tokens are clearly not being accounted for.
function claim(address claimTarget, bytes calldata data_) external override onlyOwner returns (bool) {
BoostClaimData memory boostClaimData = abi.decode(data_, (BoostClaimData));
uint256 signedAmount = abi.decode(boostClaimData.incentiveData, (uint256));
uint256 claimAmount;
if (!_isClaimable(claimTarget)) revert NotClaimable();
if (reward == 0) {
claimAmount = signedAmount;
} else {
// NOTE: this is assuming that the signed scalar is in ETH decimal format
claimAmount = reward * signedAmount / 1e18;
}
if (totalClaimed + claimAmount > limit) revert ClaimFailed();
totalClaimed += claimAmount; // < @audit
asset.safeTransfer(claimTarget, claimAmount);
emit Claimed(claimTarget, abi.encodePacked(asset, claimTarget, claimAmount));
return true;
}
This issue is also prevalent in the clawback
function.
function clawback(bytes calldata data_) external override onlyOwner returns (bool) {
ClawbackPayload memory claim_ = abi.decode(data_, (ClawbackPayload));
(uint256 amount) = abi.decode(claim_.data, (uint256));
limit -= amount; // < @audit
// Transfer the tokens back to the intended recipient
asset.safeTransfer(claim_.target, amount);
emit Claimed(claim_.target, abi.encodePacked(asset, claim_.target, amount));
return true;
}
As it can be seen in both cases when fee-on-transfer tokens are used the totalClaimed
and limit
amounts will be updated incorrectly.
Incorrect values of limit
and totalClaimed
cause _isClaimable
to return incorrect value since it uses the comparison "totalClaimed < limit
" thus leading to DoS to the legitimate claimants.
Manual Review
Implement a balance check before and after the transfer.
Then use the differences in these balances to update the limit
and totalClaimed
in their respective functions.