Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

supplyTokenTo allows users to bypass prize pool #3

Closed
code423n4 opened this issue Apr 29, 2022 · 2 comments
Closed

supplyTokenTo allows users to bypass prize pool #3

code423n4 opened this issue Apr 29, 2022 · 2 comments
Assignees
@PierrickGT
Labels
bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L231-L242

Vulnerability details

Impact

Loss of user rewards

Proof of Concept

Contract allows anyone to call the supplyTokenTo and redeemToken functions, allowing users to bypass prize pool contract and deposit/supply directly to the Yield Source. Underlying tokens would be safe but user's rewards would be distributed to other users or lost

Tools Used

Recommended Mitigation Steps

Require that only prize pool can make redeem or supply calls
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 29, 2022
code423n4 added a commit that referenced this issue Apr 29, 2022
@code423n4
0x52 issue #3
b78a0c3
@PierrickGT PierrickGT self-assigned this May 2, 2022
@PierrickGT PierrickGT added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label May 2, 2022
@PierrickGT
Copy link
Member

A user depositing into the yield source by calling the supplyTokenTo function would receive ERC20 tokens representing his shares of the deposit. He would then be later able to withdraw by calling the redeemToken functions and he would receive back his principal that he deposited earlier.
As mentioned by the warden, his deposit would be safe since he can withdraw at any time. Interest generated by this yield source is indeed redistributed to people that have deposited in a PoolTogether prize pool that uses this yield source and who win draws.
This is an intended behavior that allows any PoolTogether prize pool to use this contract as yield source. It wouldn't make sense to restrict the usage only to whitelisted prize pools.
For the reasons above, I've disputed the issue.

@PierrickGT PierrickGT mentioned this issue May 4, 2022
Closed
@gititGoro gititGoro mentioned this issue May 16, 2022
Open
@gititGoro
Copy link
Collaborator

gititGoro commented May 18, 2022
edited
Loading

The only way this would be an issue is if a UI directed users inappropriately but that's beyond the scope of this contest. Marking invalid.

@gititGoro gititGoro added the invalid This doesn't seem right label May 18, 2022
@JeeberC4 JeeberC4 removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PierrickGT PierrickGT

Labels
bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PierrickGT @gititGoro @code423n4 @JeeberC4