Sunny Coral Monkey - Fee-on-Transfer Token Accounting Failure

[sherlock-admin4]

Sunny Coral Monkey

Medium

Fee-on-Transfer Token Accounting Failure

Summary

The contracts transfer tokens and assume the received amount is exactly the transferred amount, which fails for fee-on-transfer tokens.

Root Cause

In DexSwap.sol and Router.sol, tokens are transferred from the user to the contract (Spender or Executor) and then the contract uses the entire fromTokenAmount for swapping. However, for fee-on-transfer tokens, the actual amount received by the contract is less than fromTokenAmount.

• DexSwap.sol: https://github.com/sherlock-audit/2025-07-debank/blob/main/swap-router-v1/src/aggregatorRouter/DexSwap.sol#L137-L139

  // : Transfer fromToken to Spender
  if (params.fromToken != UniversalERC20.ETH) {
      IERC20(params.fromToken).safeTransferFrom(msg.sender, address(spender), params.fromTokenAmount);
  }

  Then, in the adapter, the entire fromTokenAmount is used:

  // In any adapter, e.g., OneinchAdapter.sol
  uint256 fromTokenAmount = IERC20(fromToken).universalBalanceOf(address(this));
  // ... which for fee-on-transfer would be less than the amount transferred from the user

• Router.sol: https://github.com/sherlock-audit/2025-07-debank/blob/main/swap-router-v1/src/router/Router.sol#L76-L78

  // Transfer fromToken to Executor
  if (fromToken != UniversalERC20.ETH) {
      IERC20(fromToken).safeTransferFrom(msg.sender, address(executor), fromTokenAmount);
  }

Then, in the executor, the entire fromTokenAmount is used for swapping.
The contracts do not account for the actual balance received, which can be less than fromTokenAmount for fee-on-transfer tokens.

Internal Pre-conditions

N/A

External Pre-conditions

N/A

Attack Path

The contracts do not account for the actual balance received, which can be less than fromTokenAmount for fee-on-transfer tokens.

Impact

Fee-on-Transfer Token Accounting Failure

PoC

No response

Mitigation

No response