Late Hotpink Dinosaur
Medium
Missing XYZ token validation in fee collection will cause a tokenomics violation for the protocol as users can preserve XYZ tokens meant to be burned by having them transferred to the fee safe instead.
In StablecoinHandler.sol:_stablecoinSwap() at https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L152 the fee handling logic lacks XYZ token validation, in contrast to the main transfer logic:
// Fee handling - no XYZ check
ERC20PermitUpgradeable(ss.stablecoinFeeCurrency).safeTransferFrom(
wallet,
ss.stablecoinFeeSafe,
ss.feeAmount
);
// Main transfer - has XYZ check
if (isXYZ(ss.origin)) {
Stablecoin(ss.origin).burnFrom(wallet, ss.oAmount);
} else {
ERC20PermitUpgradeable(ss.origin).safeTransferFrom(
wallet,
ss.liquiditySafe,
ss.oAmount
);
}No response
No response
- User identifies a swap where XYZ tokens are used as fee currency
- Instead of having their XYZ tokens burned through proper burning mechanism
- User XYZ tokens are transferred to fee safe through regular ERC20 transfer
- XYZ tokens accumulate in fee safe instead of being burned
- Protocol's intended token burn mechanism is bypassed
The protocol's token economics are compromised as XYZ tokens meant to be burned remain in circulation, stored in the fee safe. This breaks the intended supply management system and could affect the value proposition of the protocol's tokenomics.
No response
No response