Late Hotpink Dinosaur
Medium
Unprotected handling of tokens with dynamic/changeable fees will cause a direct loss of funds for the protocol as the received amount can be significantly less than expected when fees change during the transaction (either by admin or by token's own mechanisms).
In StablecoinHandler.sol:_stablecoinSwap() at https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L144 there is no protection against dynamic fee changes during execution:
function _stablecoinSwap(address wallet, StablecoinSwap memory ss) internal {
// Fee could change between verification and execution
ERC20PermitUpgradeable(ss.origin).safeTransferFrom(
wallet,
ss.liquiditySafe,
ss.oAmount
);
// Protocol always sends full target amount regardless of
// how much was actually received after dynamic fees
if (isXYZ(ss.target)) {
Stablecoin(ss.target).mintTo(ss.destination, ss.tAmount);
}
}No response
No response
Transaction Setup: Input: 1000 USDT Initial Fee: 2%
What Happens:
- Token admin front-runs to change transfer fee to 20%
- User's swap executes:
- Sends 1000 USDT
- Protocol receives 800 USDT (20% fee)
- Protocol sends 1000 target tokens Loss: 200 tokens per transaction
Token Setup:
- Fee increases with transfer size
- e.g., 2% for < 1000 tokens 5% for 1000-5000 tokens 10% for > 5000 tokens
What Happens:
- User swaps 6000 tokens expecting ~5880 (2% fee)
- Actually receives 5400 (10% fee due to size)
- Protocol still sends 6000 target tokens Loss: 600 tokens for the transaction
Token Setup:
- Fee varies based on network congestion
- or time of day
- or token liquidity levels
What Happens:
- User initiates swap when fee is 2%
- Transaction executes when conditions change fee to 8%
- Protocol receives 92% but sends 100% Loss: Variable based on fee at execution time
The protocol suffers losses whenever fees change to be higher than expected, with loss magnitude proportional to:
- Size of fee change
- Transaction volume
- Frequency of fee changes
No response
No response