Skip to content

Latest commit

 

History

History
113 lines (89 loc) · 3.6 KB

013.md

File metadata and controls

113 lines (89 loc) · 3.6 KB
Raw

Nutty Mandarin Chameleon

Medium

Missing fee transfer for referral in _feeDispersal function

Summary

The _feeDispersal() function of the AmirX.sol contract is not correctly transferring the referral fee (i.e., defi.referralFee) from the defi.defiSafe address to the contract before executing the fee distribution logic. This results in a missing transaction for the referral fee.

Root Cause

The primary issue lies in the absence of a safeTransferFrom call for transferring the defi.referralFee from the defi.defiSafe address to the contract:

    function _feeDispersal(DefiSwap memory defi) internal {
        // must buy into TEL
        if (defi.feeToken != TELCOIN)
            _buyBack(
                defi.feeToken,
                defi.aggregator,
                defi.defiSafe,
                defi.swapData
            );

        // distribute reward
        if (defi.referrer != address(0) && defi.referralFee != 0) {
            TELCOIN.forceApprove(address(defi.plugin), 0);
            TELCOIN.safeIncreaseAllowance(
                address(defi.plugin),
                defi.referralFee
            );
            require(
                defi.plugin.increaseClaimableBy(
                    defi.referrer,
                    defi.referralFee
                ),
                "AmirX: balance was not adjusted"
            );
        }
        // retain remainder
        if (TELCOIN.balanceOf(address(this)) > 0)
            TELCOIN.safeTransfer(
                defi.defiSafe,
                TELCOIN.balanceOf(address(this))
            );
    }

The missing safeTransferFrom transaction prevents the contract from receiving the required referral fee before it attempts to approve and distribute the fee, causing failures in the reward distribution logic.

The previous version of your contract was doing that correct:

https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/21920190e0772afa18e7f856a036fea3ef5b9635/telcoin-contracts/contracts/swap/AmirX.sol#L124-L148

Internal pre-conditions

https://github.com/sherlock-audit/2024-11-telcoin/blob/b9c751b59e78a7123a636e31ecafc9147046f190/telcoin-audit/contracts/swap/AmirX.sol#L183-L214

External pre-conditions

No response

Attack Path

No response

Impact

Referral rewards cannot be claimed or distributed if the fee is not first transferred into the contract. So the contract will have loses.

PoC

No response

Mitigation

Add safeTransferFrom call to the _feeDispersal() function:

    function _feeDispersal(DefiSwap memory defi) internal {
        // must buy into TEL
        if (defi.feeToken != TELCOIN)
            _buyBack(
                defi.feeToken,
                defi.aggregator,
                defi.defiSafe,
                defi.swapData
            );

        // distribute reward
        if (defi.referrer != address(0) && defi.referralFee != 0) {
+          TELCOIN.safeTransferFrom(defi.defiSafe, address(this), defi.referralFee);
            TELCOIN.forceApprove(address(defi.plugin), 0);
            TELCOIN.safeIncreaseAllowance(
                address(defi.plugin),
                defi.referralFee
            );
            require(
                defi.plugin.increaseClaimableBy(
                    defi.referrer,
                    defi.referralFee
                ),
                "AmirX: balance was not adjusted"
            );
        }
        // retain remainder
        if (TELCOIN.balanceOf(address(this)) > 0)
            TELCOIN.safeTransfer(
                defi.defiSafe,
                TELCOIN.balanceOf(address(this))
            );
    }