Back to oxchsyston's contests

PoolTogether - oxchsyston's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 82/111

Findings: 1

Award: $22.96

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: Jeiwan

Also found by: 0xSmartContract, 0xStalin, 3docSec, ABAIKUNANBAEV, btk, dev0cloo, dirk_y, grearlake, jaraxxus, keccak123, neumo, oxchsyston, rvierdiiev

Awards

22.9603 USDC - $22.96

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sponsor acknowledged
duplicate-300

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L55 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L254

Vulnerability details

Impact

Malicious vaultowner can depoy vault using malicious twabcontroller, yieldvault and prizepool contracts that can put users' funds at risk.

Proof of Concept

In the contract vaultfactory.sol, the function deployvault is used to deploy new vaults and then push it to the allvaults array. The addresses of the twabcontroller, yieldvault and prizepool were passed as input in the function but were not validated before the vault was deployed, in the cunstructor() of the vaults.sol contract, the if statement only checks that the addresses are not the zero address, but does not ensure that the addresses are the right ones.

 function deployVault(
    IERC20 _asset,
    string memory _name,
    string memory _symbol,
    TwabController _twabController,
    IERC4626 _yieldVault,
    PrizePool _prizePool,
    address _claimer,
    address _yieldFeeRecipient,
    uint256 _yieldFeePercentage,
    address _owner
  ) external returns (address) {
    Vault _vault = new Vault(
      _asset,
      _name,
      _symbol,
      _twabController,
      _yieldVault,
      _prizePool,
      _claimer,
      _yieldFeeRecipient,
      _yieldFeePercentage,
      _owner
    );

    allVaults.push(_vault);
    deployedVaults[_vault] = true;

    emit NewFactoryVault(_vault, VaultFactory(address(this)));

    return address(_vault);
  }

Tools Used

Manual review

ensure proper validation since these parameters are passed in manually which can possibly lead to some typos.

Assessed type

Invalid Validation

#0 - Picodes

2023-07-16T10:28:30Z

Regrouping here all issues related to using the permissionless nature of the factory to create a malicious deployment, and abusive usage of owner privileges

#1 - c4-judge

2023-07-16T10:28:35Z

Picodes marked the issue as primary issue

#2 - asselstine

2023-07-20T20:56:51Z

This the point of V5: we are replacing protocol gatekeeping with curation by front-ends.

The responsibility of curation will rest on front-ends, who will curate which vaults they show their users.

#3 - c4-sponsor

2023-07-20T20:57:01Z

asselstine marked the issue as sponsor acknowledged

#4 - Picodes

2023-08-06T10:44:25Z

I'll keep this issue as a valid Medium to highlight the importance of properly checking deployments or trusting the front-end.

#5 - c4-judge

2023-08-06T10:44:36Z

Picodes marked the issue as satisfactory

#6 - c4-judge

2023-08-06T10:44:50Z

Picodes changed the severity to 2 (Med Risk)

#7 - c4-judge

2023-08-06T10:46:06Z

Picodes marked issue #300 as primary and marked this issue as a duplicate of 300

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter