PoolTogether contest - tensors's results

A protocol for no loss prize savings on Ethereum

General Information

Platform: Code4rena

Start Date: 17/06/2021

Pot Size: $60,000 USDC

Total HM: 12

Participants: 12

Period: 7 days

Judge: LSDan

Total Solo HM: 8

Id: 14

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 3/12

Findings: 2

Award: $6,263.37

🌟 Selected for report: 2

🚀 Solo Findings: 1

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: tensors

Labels

bug

3 (High Risk)

sponsor confirmed

Awards

5827.0101 USDC - $5,827.01

External Links

Link to GitHub issue

Handle

tensors

Vulnerability details

Impact

Because mantissa calculations are not used in this case to account for decimals, the arithmetic can zero out the number of shares or tokens that should be given.

For example, say I deposit 1 token, expecting 1 share in return. On L95, if the totalunderlying assets is increased to be larger than the number of total shares, then the division would output 0 and I wouldn't get any shares.

Proof of Concept

https://github.com/sunnyRK/IdleYieldSource-PoolTogether/blob/6dcc419e881a4f0f205c07c58f4db87520b6046d/contracts/IdleYieldSource.sol#L95

https://github.com/sunnyRK/IdleYieldSource-PoolTogether/blob/6dcc419e881a4f0f205c07c58f4db87520b6046d/contracts/IdleYieldSource.sol#L106

Recommended Mitigation Steps

Implement mantissa calculations like in the contract for the AAVE yield.

#0 - PierrickGT
2021-07-02T15:13:30Z

PR: https://github.com/pooltogether/idle-yield-source/pull/5

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: shw

Also found by: tensors

Labels

bug

duplicate

G (Gas Optimization)

Awards

135.4239 USDC - $135.42

External Links

Link to GitHub issue

Handle

tensors

Vulnerability details

Impact

Changing the functions in SushiYieldSource.sol to external can save gas.

Proof of Concept

https://github.com/pooltogether/sushi-pooltogether/blob/master/contracts/SushiYieldSource.sol

Recommended Mitigation Steps

Change public to external

#0 - asselstine
2021-06-24T23:54:11Z

Duplicate of https://github.com/code-423n4/2021-06-pooltogether-findings/issues/107

Findings Information

🌟 Selected for report: tensors

Labels

bug

G (Gas Optimization)

sponsor confirmed

ATokenYieldSource

Awards

300.9419 USDC - $300.94

External Links

Link to GitHub issue

Handle

tensors

Vulnerability details

##Impact Uninitialized variables initialize to 0 automatically. No need to explicitly initialize it.

##Proof of concept https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L141

##Recommended mitigation steps Replace with: uint256 shares;

#0 - PierrickGT
2021-06-28T09:40:36Z

PR: https://github.com/pooltogether/aave-yield-source/pull/16

PoolTogether contest - tensors's results

A protocol for no loss prize savings on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

🚀 [H-05] `IdleYieldSource` doesn't use mantissa calculations - $5,827.01

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - PierrickGT2021-07-02T15:13:30Z

Gas Report - $436.36

Gas Report - $436.36

[G-31] Functions in SushiYieldSource can be external - $135.42

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - asselstine2021-06-24T23:54:11Z

🚀 [G-30] Gas savings on uninitialized variables. - $300.94

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

#0 - PierrickGT2021-06-28T09:40:36Z

#0 - PierrickGT
2021-07-02T15:13:30Z

#0 - asselstine
2021-06-24T23:54:11Z

#0 - PierrickGT
2021-06-28T09:40:36Z