PoolTogether - gzeon's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 48/111

Findings: 1

Award: $215.72

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: gzeon

Also found by: 0xMirce, Breeje, Inspecktor, ptsanev

Labels

bug

2 (Med Risk)

primary issue

satisfactory

selected for report

sponsor disputed

M-08

Awards

215.7232 USDC - $215.72

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67-L78

Vulnerability details

Impact

Vaults are created from the factory via CREATE1, an attacker can frontrun deployVault to deploy at the same address but with different config. If the deployed chain reorg, a different vault might also be deployed at the same address.

Proof of Concept

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L67-L78

Bob setup a bot to monitor the mempool when PT deploy a new vault
Bob's bot saw a deployment by PT at 0x1234, fire a tx to deposit immediately
Alice frontrun PT's deployment by deploying a malicious vault at 0x1234
Bob's transaction ended up deposited into Alice's malicious vault

Recommended Mitigation Steps

Use CREATE2 and the vault config as salt.

Assessed type

MEV

#0 - c4-judge
2023-07-16T21:53:33Z

Picodes marked the issue as primary issue

#1 - asselstine
2023-07-20T22:45:03Z

The Vault address is derivative of the (sender address, nonce). I don't see how this scenario is possible?

#2 - c4-sponsor
2023-07-20T22:45:09Z

asselstine marked the issue as sponsor disputed

#3 - Picodes
2023-08-06T22:35:53Z

@asselstine exactly, so here it only depends on the nonce of the factory, so in case of reorg someone could "override" a vault deployment and all following transactions would still be executed

#4 - c4-judge
2023-08-06T22:35:58Z

Picodes marked the issue as satisfactory

#5 - c4-judge
2023-08-06T22:36:02Z

Picodes marked the issue as selected for report

#6 - asselstine
2023-08-17T21:23:18Z

Fixed https://github.com/GenerationSoftware/pt-v5-vault/pull/25

PoolTogether - gzeon's results

A protocol for no-loss prize savings

General Information

Findings Distribution

Researcher Performance

External Links

🌟 [M-08] An attacker can front-run `deployVault` to deploy at the same address - $215.72

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-07-16T21:53:33Z

#1 - asselstine2023-07-20T22:45:03Z

#2 - c4-sponsor2023-07-20T22:45:09Z

#3 - Picodes2023-08-06T22:35:53Z

#4 - c4-judge2023-08-06T22:35:58Z

#5 - c4-judge2023-08-06T22:36:02Z

#6 - asselstine2023-08-17T21:23:18Z

#0 - c4-judge
2023-07-16T21:53:33Z

#1 - asselstine
2023-07-20T22:45:03Z

#2 - c4-sponsor
2023-07-20T22:45:09Z

#3 - Picodes
2023-08-06T22:35:53Z

#4 - c4-judge
2023-08-06T22:35:58Z

#5 - c4-judge
2023-08-06T22:36:02Z

#6 - asselstine
2023-08-17T21:23:18Z