PoolTogether - GoSlang's results

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 80

Period: 7 days

Judge: hansfriese

Total Solo HM: 2

Id: 332

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 49/80

Findings: 1

Award: $1.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: DarkTower

Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie

Awards

1.4652 USDC - $1.47

Labels

bug

3 (High Risk)

satisfactory

sufficient quality report

upgraded by judge

:robot:_10_group

duplicate-59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L611-L622

Vulnerability details

Impact

The claimYieldFeeShares function allows the YieldFeeRecipient to claim an amount of shares they want to claim from the yieldFeeBalance an error happens in the implementation of this function the YieldFeeRecipient can specify any amount of shares as long as it's not 0 or larger than the yieldFeeBalance when the YieldFeeRecipient claims and does not specify the full yieldFeeBalance the entire yieldFeeBalance is subtracted from the yieldFeeBalance leaving it at 0 even if the shares claim was a smaller portion.

Proof of Concept

Consider the following: yieldFeeBalance = 1e18 The YieldFeeRecipient calls claimYieldFeeShares with 1 share yieldFeeBalance is now set to 0 and the YieldFeeRecipient is minted 1 share leaving the rest of the remaining tokens in the contract really to be taken by the next person to call deposit.

https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L614-L617

Tools Used

Vscode

Recommended Mitigation Steps

Consider subtracting the shares or only allowing for the full amount to be claimed

Assessed type

Invalid Validation

#0 - c4-pre-sort
2024-03-11T21:55:41Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort
2024-03-11T21:55:47Z

raymondfam marked the issue as duplicate of #10

#2 - c4-pre-sort
2024-03-13T04:38:33Z

raymondfam marked the issue as duplicate of #59

#3 - c4-judge
2024-03-15T07:37:31Z

hansfriese changed the severity to 3 (High Risk)

#4 - c4-judge
2024-03-15T07:38:46Z

hansfriese marked the issue as satisfactory

PoolTogether - GoSlang's results

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] claimYieldFeeShares implementation is flawed - $1.47

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-03-11T21:55:41Z

#1 - c4-pre-sort2024-03-11T21:55:47Z

#2 - c4-pre-sort2024-03-13T04:38:33Z

#3 - c4-judge2024-03-15T07:37:31Z

#4 - c4-judge2024-03-15T07:38:46Z

#0 - c4-pre-sort
2024-03-11T21:55:41Z

#1 - c4-pre-sort
2024-03-11T21:55:47Z

#2 - c4-pre-sort
2024-03-13T04:38:33Z

#3 - c4-judge
2024-03-15T07:37:31Z

#4 - c4-judge
2024-03-15T07:38:46Z