A security researcher earned $10,000 on Immunefi by discovering two related vulnerabilities in DFX Finance: unhandled fee-on-transfer (FoT) tokens that drain liquidity from USDC pairs, and risks from USDC being upgradable, which could introduce breaking changes to the protocol. The submission succeeded through a functional proof-of-concept, real-world impact examples, and actionable remediation recommendations.
Brahma-Fi's withdrawal mechanism uses Curve's calc_token_amount() function with an incorrect boolean parameter (true instead of false), causing LP token amount calculations to underestimate required withdrawals and leading to batch withdrawal failures. The bug affects both unstaking amounts and LP redemption amounts, resulting in insufficient USDC being withdrawn from the Curve pool.