Back to kebabsec's contests

PoolTogether Aave v3 contest - kebabsec's results

A protocol for no loss prize savings on Ethereum.

General Information

Platform: Code4rena

Start Date: 29/04/2022

Pot Size: $22,000 USDC

Total HM: 6

Participants: 40

Period: 3 days

Judge: Justin Goro

Total Solo HM: 2

Id: 114

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 10/40

Findings: 2

Award: $605.71

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: WatchPug

Also found by: 0xDjango, CertoraInc, Tadashi, berndartmueller, kebabsec, leastwood, unforgiven

Labels

bug
duplicate
3 (High Risk)

Awards

500.8447 USDC - $500.84

External Links

Link to GitHub issue

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L255

Vulnerability details

Impact

Calculation without the bigger than zero check may result in loss of user funds, albeit in tiny amounts as of now.

Proof of Concept

In this line of redeemToken (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L256) shares to burn is calculated through _tokenToShares method (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L357). As there is no check that checks if amount of _shares is larger than 0 like the one in supplyTokenTo (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L233), _tokenToShares (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L357) may return 0 and this may result in withdrawal of funds without burning any shares.

To our knowledge, this can be exploited as of now for only the smallest unit of the token underlying, so for example one millionth of an USDC at a time. As the aTokens, the shares, and the token underlying shares the same amount of decimals the calculation is actually (amount of tokens to withdraw * (X * 10 ** 6) / ((X + some interest) * 10 ** 6). Due to the nature of this calculation, "amount of tokens to withdraw" should be 1 for this calculation to return 0 in our understanding of the issue. While this is probably not much of an issue, we are reporting this as exploiting it might be meaningful in future and it has an easy fix.

Tools Used

Manual code review, talks with dev

Implement a require check like the one in supplyTokenTo (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L233)

#0 - PierrickGT

2022-05-05T22:13:27Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/44

Findings Information

🌟 Selected for report: MaratCerby

Also found by: 0x52, 0xDjango, 0xf15ers, Dravee, GimelSec, IllIllI, Picodes, delfin454000, gzeon, hake, kebabsec, pauliax, reassor, z3s

Labels

bug
QA (Quality Assurance)

Awards

104.8707 USDC - $104.87

External Links

Link to GitHub issue

Typo in the lines (https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L38, https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L156) "inhereted" should be "inherited"

#0 - PierrickGT

2022-05-04T16:04:55Z

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/22

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter