Back to degensec's contests

PoolTogether - degensec's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 28/111

Findings: 1

Award: $739.79

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: degensec

Also found by: pontifex

Labels

bug
2 (Med Risk)
downgraded by judge
primary issue
satisfactory
selected for report
sponsor confirmed
edited-by-warden
M-23

Awards

739.7915 USDC - $739.79

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L375-L377 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L383-L385

Vulnerability details

Impact

Vault does not conform to ERC4626 which may break external integrations

Proof of Concept

The ERC4626 specification states that maxDeposit MUST return the maximum amount of assets deposit would allow to be deposited for receiver and not cause a revert, which MUST NOT be higher than the actual maximum that would be accepted.

Similarly, maxMint MUST return the maximum amount of shares mint would allow to be deposited to receiver and not cause a revert, which MUST NOT be higher than the actual maximum that would be accepted.

The PoolTogether V5 Vault connects to an external ERC4626-compliant Vault (_yieldVault) and deposits incoming assets in it. This means that maxDeposit and maxMint of the PoolTogether Vault must be constrained by the maxDeposit and maxMint of the external Vault.

Tools Used

Manual review, ERC-4626: Tokenized Vaults

Replace the implementation of maxDeposit

  function maxDeposit(address) public view virtual override returns (uint256) {
    return _isVaultCollateralized() ? type(uint96).max : 0;
  }

with:

  function maxDeposit(address receiver) public view virtual override returns (uint256) {
    if (!_isVaultCollateralized()) return 0;

    uint256 yvMaxDeposit = _yieldVault.maxDeposit(receiver);
    return yvMaxDeposit < type(uint96).max ? yvMaxDeposit : type(uint96).max;
  }

Analogously, change the implementation of maxMint from

  function maxMint(address) public view virtual override returns (uint256) {
    return _isVaultCollateralized() ? type(uint96).max : 0;
  }

to:

  function maxMint(address receiver) public view virtual override returns (uint256) {
    if(!_isVaultCollateralized()) return 0;

    uint256 yvMaxMint = _yieldVault.maxDeposit(receiver);
    return yvMaxMint < type(uint96).max ? yvMaxMint : type(uint96).max;
  }

Assessed type

ERC4626

#0 - c4-judge

2023-07-18T18:14:22Z

Picodes marked the issue as primary issue

#1 - c4-sponsor

2023-07-18T23:53:33Z

asselstine marked the issue as sponsor confirmed

#2 - PierrickGT

2023-08-07T21:30:19Z

Fixed in the following PR: https://github.com/GenerationSoftware/pt-v5-vault/pull/11

#3 - c4-judge

2023-08-08T13:06:50Z

Picodes changed the severity to 3 (High Risk)

#4 - c4-judge

2023-08-08T13:08:28Z

Picodes changed the severity to 2 (Med Risk)

#5 - c4-judge

2023-08-08T13:11:30Z

Picodes marked the issue as selected for report

#6 - c4-judge

2023-08-08T13:11:40Z

Picodes marked the issue as satisfactory

#7 - asselstine

2023-08-17T21:59:35Z

Fixed in https://github.com/GenerationSoftware/pt-v5-vault/pull/11

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter