PoolTogether - iberry's results

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 80

Period: 7 days

Judge: hansfriese

Total Solo HM: 2

Id: 332

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 68/80

Findings: 1

Award: $1.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: DarkTower

Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie

Awards

1.4652 USDC - $1.47

Labels

bug

3 (High Risk)

satisfactory

sufficient quality report

upgraded by judge

edited-by-warden

:robot:_10_group

duplicate-59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622

Vulnerability details

Impact

Incorrect yieldFeeBalance Calculation in PrizeVault#claimYieldFeeShares.This may result in an inaccurate representation of the yieldFeeBalance held by the contract

Proof of Concept

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622

In Line 617:

File: /2024-03-pooltogether/pt-v5-vault/src/PrizeVault.sol 611: function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient { 612: if (_shares == 0) revert MintZeroShares(); 613: 614: uint256 _yieldFeeBalance = yieldFeeBalance; 615: if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance); 616: 617: yieldFeeBalance -= _yieldFeeBalance; 618: 619: _mint(msg.sender, _shares); 620: 621: emit ClaimYieldFeeShares(msg.sender, _shares); 622: }

yieldFeeBalance should reduce _shares. yieldFeeBalance -= _yieldFeeBalance will cause yieldFeeBalance = 0, Incorrect yieldFeeBalance calculation will cause loss yieldFeeBalance.

Tools Used

Manual Review

Recommended Mitigation Steps

yieldFeeBalance -= _shares; or yieldFeeBalance = _yieldFeeBalance - _shares;

Assessed type

Other

#0 - c4-pre-sort
2024-03-11T21:44:58Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort
2024-03-11T21:45:04Z

raymondfam marked the issue as duplicate of #10

#2 - c4-pre-sort
2024-03-13T04:38:20Z

raymondfam marked the issue as duplicate of #59

#3 - c4-judge
2024-03-15T07:37:31Z

hansfriese changed the severity to 3 (High Risk)

#4 - c4-judge
2024-03-15T07:39:13Z

hansfriese marked the issue as satisfactory

PoolTogether - iberry's results

General Information

Findings Distribution

Researcher Performance

External Links

[H-01] Incorrect yieldFeeBalance Calculation in PrizeVault#claimYieldFeeShares - $1.47

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-03-11T21:44:58Z

#1 - c4-pre-sort2024-03-11T21:45:04Z

#2 - c4-pre-sort2024-03-13T04:38:20Z

#3 - c4-judge2024-03-15T07:37:31Z

#4 - c4-judge2024-03-15T07:39:13Z

#0 - c4-pre-sort
2024-03-11T21:44:58Z

#1 - c4-pre-sort
2024-03-11T21:45:04Z

#2 - c4-pre-sort
2024-03-13T04:38:20Z

#3 - c4-judge
2024-03-15T07:37:31Z

#4 - c4-judge
2024-03-15T07:39:13Z