PoolTogether micro contest #1 - tensors's results

A protocol for no loss prize savings on Ethereum

General Information

Platform: Code4rena

Start Date: 29/07/2021

Pot Size: $20,000 USDC

Total HM: 8

Participants: 12

Period: 3 days

Judge: LSDan

Total Solo HM: 2

Id: 24

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 8/12

Findings: 2

Award: $480.24

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PoolTogether

Findings Information

🌟 Selected for report: tensors

Also found by: GalloDaSballo, cmichel, hickuphh3

Labels

bug

2 (Med Risk)

SwappableYieldSource

sponsor confirmed

Awards

169.7571 USDC - $169.76

External Links

Link to GitHub issue

Handle

tensors

Vulnerability details

Impact

After swapping a yield source, the old yield source still has infinite approval. Infinite approval has been used in large attacks if the yield source isn't perfectly safe (see furucombo).

Proof of Concept

https://github.com/pooltogether/swappable-yield-source/blob/89cf66a3e3f8df24a082e1cd0a0e80d08953049c/contracts/SwappableYieldSource.sol#L268

Recommended Mitigation Steps

Decrease approval after swapping the yield source.

#0 - PierrickGT
2021-08-10T22:39:10Z

PR: https://github.com/pooltogether/swappable-yield-source/pull/3

Findings Information

🌟 Selected for report: tensors

Labels

bug

1 (Low Risk)

SwappableYieldSource

sponsor confirmed

Awards

310.484 USDC - $310.48

External Links

Link to GitHub issue

Handle

tensors

Vulnerability details

Impact

There are a few tokens out there that do not use any decimals. As far as I know none of them would be a good yield source, but just in case something comes out, you may want to include the possibility that decimals = 0.

Proof of Concept

https://github.com/pooltogether/swappable-yield-source/blob/89cf66a3e3f8df24a082e1cd0a0e80d08953049c/contracts/SwappableYieldSource.sol#L116

Recommended Mitigation Steps

Remove the require statement.

#0 - PierrickGT
2021-08-10T16:42:09Z

PR: https://github.com/pooltogether/swappable-yield-source/pull/2

PoolTogether micro contest #1 - tensors's results

A protocol for no loss prize savings on Ethereum

General Information

Findings Distribution

Researcher Performance

External Links

🌟 [M-04] Old yield source still has infinite approval - $169.76

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - PierrickGT2021-08-10T22:39:10Z

QA Report - $310.48

🚀 [L-14] Some tokens do not have decimals. - $310.48

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - PierrickGT2021-08-10T16:42:09Z

#0 - PierrickGT
2021-08-10T22:39:10Z

#0 - PierrickGT
2021-08-10T16:42:09Z