Back to ptsanev's contests

PoolTogether - ptsanev's results

A protocol for no-loss prize savings

General Information

Platform: Code4rena

Start Date: 07/07/2023

Pot Size: $121,650 USDC

Total HM: 36

Participants: 111

Period: 7 days

Judge: Picodes

Total Solo HM: 13

Id: 258

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 53/111

Findings: 2

Award: $168.19

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: Udsen

Also found by: 0xMirce, 0xPsuedoPandit, 0xStalin, 0xbepresent, Aymen0909, Bobface, Co0nan, GREY-HAWK-REACH, Jeiwan, John, KupiaSec, LuchoLeonel1, Nyx, Praise, RedTiger, alexweb3, bin2chen, btk, dacian, dirk_y, josephdara, keccak123, ktg, mahdirostami, markus_ether, minhtrng, ni8mare, peanuts, ptsanev, ravikiranweb3, rvierdiiev, seeques, serial-coder, shaka, teawaterwire, wangxx2026, zzzitron

Awards

2.2492 USDC - $2.25

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-396

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402

Vulnerability details

Impact

Any user can mint themselves or somebody else the yield fee, leading to a fund loss for the protocol

Proof of Concept

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L394-L402 There is no access control and the address to get the minted tokens is passed as a parameters, so users can just mint to themselves until they drain it.

Tools Used

Manual Review

Either change visibility, add access control or just hardcode the recipient to be the _yieldFeeRecipient address, instead of an arbitrary address passed by the caller.

Assessed type

Access Control

#0 - c4-judge

2023-07-18T15:52:18Z

Picodes marked the issue as duplicate of #396

#1 - c4-judge

2023-08-05T22:03:45Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-08-05T22:03:53Z

Picodes changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: gzeon

Also found by: 0xMirce, Breeje, Inspecktor, ptsanev

Labels

bug
2 (Med Risk)
satisfactory
duplicate-416

Awards

165.9409 USDC - $165.94

External Links

Link to GitHub issue

Lines of code

https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/VaultFactory.sol#L55-L86

Vulnerability details

Description

The VaultFactory is a simple contract allowing users to create their own Vaults, by passing the needed parameters. These new Vaults use create and since the protocol will be run on multiple chains, it is susceptible to reorgs.

Impact

Vaults not being deployed correctly, malicious actors overtaking ownership of new Vaults.

Proof of Concept

https://polygonscan.com/blocks_forked Example of the great amounts of reorgs occuring on Polygon Fraud blocks on Optimism can also lead to reorgs.

Tools Used

Manual Review

Use the create2 to create vaults and provide all of the constructor data + salt + msg.sender

Assessed type

Timing

#0 - c4-judge

2023-07-18T18:09:29Z

Picodes marked the issue as duplicate of #416

#1 - c4-judge

2023-08-06T22:36:10Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter