Description

In the Marketplace contract, the pay() function is used to pay for a domain name that has been put on sale off chain.

This contract allows for payment either through the chain-native token or through certain whitelisted ERC-20 tokens.

If one of the whitelisted tokens happens to take out a fee on transfer, then the amount of tokens sent to the treasury will be less than expected.

Impact

The client has stated that none of the tokens currently whitelisted contain any fee-on-transfer functionality. Thus, the impact is currently Informational.

However, we wanted to include this finding in order to ensure that care is taken when whitelisting any new tokens in the future.

Recommendations

Before adding new tokens to the whitelist, ensure that the token does not take a fee on transfer.

If a new token does require a fee on transfer, then some new logic must be added to the pay() function to account for this fee.

Remediation

The D3 Doma Team's position is as follows:

All tokens are whitelisted on a backend side. Same approach is used for new Seaport-based implementation.