Back to cccz's contests

PoolTogether Aave v3 contest - cccz's results

A protocol for no loss prize savings on Ethereum.

General Information

Platform: Code4rena

Start Date: 29/04/2022

Pot Size: $22,000 USDC

Total HM: 6

Participants: 40

Period: 3 days

Judge: Justin Goro

Total Solo HM: 2

Id: 114

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 15/40

Findings: 1

Award: $309.16

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: MaratCerby

Also found by: CertoraInc, IllIllI, berndartmueller, cccz, reassor

Labels

bug
duplicate
2 (Med Risk)

Awards

309.1634 USDC - $309.16

External Links

Link to GitHub issue

[Low-01] Unsupported fee-on-transfer tokens

Impact

When _underlyingAssetAddress is fee-on-transfer tokens, in the supplyTokenTo function, the actual amount of tokens received by the contract will be less than the _depositAmount, so that the subsequent _pool().supply function will fail to execute.

Proof of Concept

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L231-L242

Tools Used

None

Consider getting the received amount by calculating the difference of token balance (using balanceOf) before and after the safeTransferFrom.

#0 - PierrickGT

2022-05-03T16:26:08Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/8

#1 - gititGoro

2022-05-14T01:18:02Z

Changing to Med Risk bug as this isn't a QA issue. The sponsor's intention to not support FOT tokens will be taken into account.

#2 - JeeberC4

2022-05-23T16:48:19Z

Renaming as judge has upgraded the issue from QA Report.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter