SUB002
OFT Fee-on-Transfer Mismatch
OFT bridge credits full amount on FOT tokens, ignoring transfer fee deduction.
MEDIUM
STATIONARY LOW
LayerZero · $15M
← SSAF
N6 Kill Chain
✓ Q1 Direct
PASS
✓ Q2 Contract
PASS
✓ Q3 Prod
PASS
✓ Q4 Material
PASS
✓ Q5 Novel
PASS
✓ Q6 Welical
PASS
Download PDF
⬇ CLO · Formal Report
⬇ FORGE · Technical Deep Dive
VECTOR
BOWER
IMPACT
PoC
DETECT
FINDINGS
Attack Vector
OFT doesn't account for fee-on-transfer tokens. Net: 2 free tokens created per bridge operation.
Kill Chain
1
Use fee-on-transfer token (2% fee).
2
Bridge 100 tokens via OFT.
3
Only 98 arrive at bridge contract.
4
Destination mints full 100. Net: 2 free tokens.
Impact
HIGH
Infinite mint via fee differential. Each bridge creates tokens from nothing. 2% fee × repeated bridging = unlimited inflation.
Severity
HIGH
— unlimited inflation on any OFT deployment wrapping fee tokens.
Proof of Concept
1
Deploy ERC20 with 2% transfer fee.
2
Wrap in OFT adapter.
3
Bridge 1000 tokens via
OFTAdapter.send()
. Source loses 980 (20 fee).
4
Destination mints 1000. Delta = 20 free tokens.
Caveat
Impact depends on specific OFT deployment using fee tokens — protocol-by-protocol audit required.
Detection Signals
▸
Monitor
OFTSent
events vs
Transfer
events for same tx.
▸
If
amountSentLD != amountReceivedLD
and delta > dust → alert.
▸
Track OFT mint vs burn across chains.
Findings
NP-SUB002-001 HIGH
No fee-on-transfer detection in OFT standard.
NP-SUB002-002 STRONG
_credit()
on destination mints full amount regardless.
NP-SUB002-003 OPEN
Affects all OFT V2 adapters wrapping non-standard ERC20s.
Sorry
Impact depends on specific OFT deployment using fee tokens — protocol-by-protocol audit required.
BOWERBOUNTY · 6 STAGES
✓
discovery (vuln surface)
✓
placement (attack vector)
✓
materials (PoC code)
✓
lighting (CLO brief)
✓
validation (programme match)
○
packaging (filed)
BOWER SCORE
50/100 · 5/6 stages complete
🍀 MEDIUM · N6 ALL PASS · PENDING CLO
γ₁ = 14.134725141734693