PoolTogether TwabRewards contest - pmerkleplant's results

A protocol for no loss prize savings on Ethereum

General Information

Platform: Code4rena

Start Date: 09/12/2021

Pot Size: $25,000 USDC

Total HM: 12

Participants: 25

Period: 4 days

Judge: LSDan

Total Solo HM: 4

Id: 64

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 14/25

Findings: 2

Award: $528.85

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: pmerkleplant

Also found by: GiveMeTestEther, WatchPug, defsec, pauliax

Labels

bug

3 (High Risk)

sponsor confirmed

Awards

510.9568 USDC - $510.96

External Links

Link to GitHub issue

Handle

pmerkleplant

Vulnerability details

Impact

There exist ERC20 tokens that charge a fee for every transfer.

This kind of token does not work correctly with the TwabRewards contract as the rewards calculation for an user is based on promotion.tokensPerEpoch (see line 320).

However, the actual amount of tokens the contract holds could be less than promotion.tokensPerEpoch * promotion.numberOfEpochs leading to not claimable rewards for users claiming later than others.

Recommended Mitigation Steps

To disable fee-on transfer tokens for the contract, add the following code in createPromotion around line 11:

uint256 oldBalance = _token.balanceOf(address(this));
_token.safeTransferFrom(msg.sender, address(this), _tokensPerEpoch * _numberOfEpochs);
uint256 newBalance = _token.balanceOf(address(this));
require(oldBalance + _tokenPerEpoch * _numberOfEpochs == newBalance);

#0 - dmvt
2022-01-17T11:46:08Z

This issue results in a direct loss of funds and can happen easily.

3 — High (H): vulns have a risk of 3 and are considered “High” severity when assets can be stolen/lost/compromised directly (or indirectly if there is a valid attack path that does not have hand-wavy hypotheticals).

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: robee

Also found by: 0x0x0x, defsec, leastwood, pmerkleplant

Labels

bug

duplicate

G (Gas Optimization)

Awards

13.1075 USDC - $13.11

External Links

Link to GitHub issue

Handle

pmerkleplant

Vulnerability details

Impact

Caching the array length outside a loop in a variable saves reading it on each iteration as long as the array's length is not changed during the loop.

Therefore, the following loops could be refactored:

TwabRewards.sol:172: for (uint256 index = 0; index < _epochIds.length; index++)
TwabRewards.sol:217: for (uint256 index = 0; index < _epochIds.length; index++)

Recommended Mitigation Steps

Use the following pattern for refactoring:

uint length = arr.length;
for (uint i = 0; i < length; i++) {
    // ...
}

Tools used

grep

#0 - PierrickGT
2021-12-10T17:29:28Z

Duplicate of https://github.com/code-423n4/2021-12-pooltogether-findings/issues/16

Findings Information

🌟 Selected for report: gpersoon

Also found by: 0xabcc, WatchPug, cmichel, danb, gzeon, pauliax, pmerkleplant, sirhashalot

Labels

bug

duplicate

G (Gas Optimization)

Awards

4.7777 USDC - $4.78

External Links

Link to GitHub issue

Handle

pmerkleplant

Vulnerability details

Impact

The function _requirePromotionActive requires the variable _promotionEndTimestamp to be greater than 0 and to be greater than block.timestamp (see line 255).

As block.timestamp is always greater than 0, the first check is unnecessary and could be removed to save gas.

#0 - PierrickGT
2021-12-10T17:28:40Z

Duplicate of https://github.com/code-423n4/2021-12-pooltogether-findings/issues/19

PoolTogether TwabRewards contest - pmerkleplant's results

A protocol for no loss prize savings on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

🌟 [H-07] Contract does not work with fee-on transfer tokens - $510.96

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Recommended Mitigation Steps

#0 - dmvt2022-01-17T11:46:08Z

Gas Report - $17.89

Gas Report - $17.89

[G-11] Cache array length outside of loop - $13.11

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Recommended Mitigation Steps

Tools used

#0 - PierrickGT2021-12-10T17:29:28Z

[G-07] Remove unnecessary check in `TwabRewards::_requirePromotionActive` - $4.78

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

#0 - PierrickGT2021-12-10T17:28:40Z

#0 - dmvt
2022-01-17T11:46:08Z

#0 - PierrickGT
2021-12-10T17:29:28Z

#0 - PierrickGT
2021-12-10T17:28:40Z