Full Report
The author of this post decided to look into DFX after only looking into smart contract security for a month. This is a decentralized exchange specifically for stablecoin swaps. Fee on Transfer (FoT) are a specific type of ERC20 token that is diminished as they are spent. This breaks the math in many protocols, making it a common (yet well known finding). First, they reported that FoT tokens can break the protocol. This is because a fee is paid by the liquidity providers, gradually losing their investment in the trading pair. Over time, all of the FoT token will be gone. The second finding is a little weird to me that is was accepted. The repo assumes that 1 USDC = 1 USD in fiat currency. Everything revolves around USDC being stable and normal. Even a previous audit from Trail of Bits mentioned this. The author tried to find a way to break the protocol using the knowledge of USDC. Since USDC is upgradable, a change to it could break the entire protocol. In particular, from the previous finding, changing it to a FoT token really breaks it. They tried reporting these bugs as critical severity issues, which is completely ludicrous. Instead, they put these two bugs are mediums and paid out 5K a piece. To me, this is crazy to payout for since both are extremely theoretial issues. Personally, I'm a little offended at this getting paid out. I felt like they over reported the issues and tried reporting something that was theoretical in nature yet still got paid. Typically, I think about what an attacker can completely control. In this case, it was USDC updating the implementation or usage of an FoT token that caused an issue; something completely out of an attackers control. They did include a PoC for each bug and an explanation of the impact. So, I do believe this helps a bunch. Should I change my perspective on what is reportable? In my mind, I should probably think about actors besides myself in the game. Additionally, potential usability, such as FoT tokens in this case, can be useful for saving the protocol from a hack prior to it occurring.
Analysis Summary
# Vulnerability: Unsupported Fee on Transfer (FoT) Tokens in DFX DEX
## CVE Details
- CVE ID: N/A (This appears to be a report on a standard contract incompatibility finding, not yet assigned a public CVE)
- CVSS Score: N/A (Severity was rated Medium by the program)
- CWE: CWE-840 (The fee mechanism of the token is incompatible with the protocol logic, leading to drain/imbalance)
## Affected Systems
- Products: DFX Decentralized Exchange (DEX) Protocol
- Versions: Not specified, but applies to versions active during the reported period (February 2023 context).
- Configurations: Any trading pair/liquidity pool involving a Fee on Transfer (FoT) token swapped against USDC or utilized as one of the base assets in a liquidity curve, especially in stablecoin swap paths. Also affected by the dependency chain leveraging upgradable USDC.
## Vulnerability Description
Two primary, related issues were reported against the DFX protocol:
1. **Fee on Transfer (FoT) Token Incompatibility:** The protocol does not account for the hidden fee mechanism inherent in Fee on Transfer ERC20 tokens. When an FoT token is swapped (e.g., for USDC), the fee is deducted from the amount transferred to the recipient pool/liquidity provider (LP). This results in LPs gradually losing their investment in the pool over time because the fee mechanically drains the LPs' assets unevenly. Initial pool deposits can also become unbalanced if FoT tokens are involved.
2. **Dependency on Upgradable USDC:** DFX relies heavily on the fixed collateral value of **1 USDC = $1** and uses USDC as a critical bridge asset (e.g., EURT $\rightarrow$ USDC $\rightarrow$ GYEN). Since USDC is an upgradable token, any future malicious upgrade to its implementation (e.g., turning it into an FoT token) could fundamentally break the protocol's math, asset assumptions, and stability mechanisms.
## Exploitation
- Status: Proof-of-Concept (PoC) available for both findings. The reporter created a custom mock FoT token to demonstrate the drain.
- Complexity: Claimed as Medium severity by the program, suggesting a non-trivial but achievable exploit vector that required understanding token mechanics.
- Attack Vector: Interaction with the DEX smart contracts (swapping or providing liquidity).
## Impact
- Confidentiality: No direct impact reported.
- Integrity: **High for FoT Issue:** Liquidity providers face gradual financial loss/drain of investment in affected pools. **High for USDC Issue:** Complete protocol integrity failure or financial manipulation possibility if USDC contract implementation changes unexpectedly or maliciously.
- Availability: Indirect impact on pool availability/usability due to imbalance or potential asset degradation.
## Remediation
### Patches
- The article suggests implementing logic similar to Uniswap V2/V3 to handle FoT tokens by checking the difference between the amount sent and the amount received, potentially reverting swaps or using a specialized swap function that accounts for on-chain fees.
- For the USDC upgradeability concern, an adapter mechanism is recommended to interface safely with upgradable assets.
### Workarounds
- Temporary workaround involves explicitly checking if any involved token is a known Fee on Transfer token and preventing its use, or ensuring that only audited, non-FoT tokens are used in liquidity pools until proper handling is implemented.
- Stop using USDC as a bridge asset if its upgradability poses an unacceptable risk, or use an adapter if protocol design requires interaction with upgradable assets.
## Detection
- **Indicators of Compromise (IOCs):** Unusual imbalance detected in liquidity pool reserves for pairs involving non-standard ERC20 tokens, where the expected deposit balance does not match the reserve change after a swap or deposit.
- **Detection Methods and Tools:** Static analysis tools capable of identifying token transfer hooks or non-standard `transfer`/`transferFrom` return logics associated with FoT tokens. On-chain monitoring of price/reserve deviation in stable pools.
## References
- [Immunefi DFX Bounty Program (General Reference - Defanged)]
- [Link to Weird ERC20 Repository mentioned by author (Defanged)]