Manual deposits can manipulate share price

[code423n4]

Handle

tensors

Vulnerability details

Impact

Increasing/decreasing the balance of tokens in the pool by manually depositing them changes the values of the shares.

Proof of Concept

https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L147-L149

https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L164-L166

Suppose that before I swap my shares (S in total ) for tokens (T in total) I deposit X tokens to the pool without getting shares for them.

By the shares to tokens formula, if S(A+X)/T -X > 0 I can take a profit from artificially increasing the price.

If I have some mechanism to withdraw the tokens X, that I deposited then it is always profitable to manipulate the price of the shares. I couldn't find such a mechanism in the code, but maybe someone else did.

Recommended Mitigation Steps

Record the price gained through interest alone, or don't allow deposits from unknown sources.

[asselstine]

By depositing tokens directly into the yield source, you're effectively distributing those tokens over all shareholders. There is nothing to be gained by depositing.

[dmvt]

Vulnerability relies on a non-existent withdraw mechanism. Attempting this exploit would benefit, not harm, all users. Closing.