PoolTogether Aave v3 contest

A protocol for no loss prize savings on Ethereum.

Twitter

General Information

Platform: Code4rena

Start Date: 29/04/2022

End Date: 01/05/2022

Period: 3 days

Status: Completed

Pot Size: $22,000 USDC

Participants: 40

Reporter: liveactionllama

Judge: Justin Goro

Id: 114

League: ETH

Findings Distribution

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository

Leaderboard


IllIllI	1/40	$5,204.03	5	0	3	1	-	-
leastwood	2/40	$3,642.27	2	1	1	1	0	0
unforgiven	3/40	$1,914.48	2	1	1	0	0	0
GimelSec	4/40	$1,778.23	3	0	1	0	-	-
0x1f8b	5/40	$1,441.50	2	0	1	0	0	-
MaratCerby	6/40	$893.04	3	0	1	0	-	-
berndartmueller	7/40	$810.00	2	1	1	0	0	0
CertoraInc	8/40	$810.00	2	1	1	0	0	0
gzeon	9/40	$677.69	3	1	0	0	-	-
kebabsec	10/40	$605.71	2	1	0	0	-	0

40 auditor(s).

Auditor per page

Page 1 of 4

PoolTogether Aave v3 contest details

$20,500 USDC main award pot
$1,500 USDC gas optimization award pot
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts April 29, 2022 00:00 UTC
Ends May 1, 2022 23:59 UTC

Resources

Contest Scope

This is a contest to evaluate the Aave V3 Yield Source contract for PoolTogether.

This contract adheres to the Yield Source Interface, which is a generic interface that allows a Yield Source Prize Pool to use an external contract to generate interest. As long as a contract supports the Yield Source Interface, it can be plugged into the Yield Source Prize Pool. This makes it easy to add new yield sources.

This contract also adheres to the ERC20 standard and mints tokens to the Prize Pool when users deposit into it. These tokens represent the share of deposits owned by a Prize Pool. Users can then withdraw their deposits from the Prize Pool and these shares are then burnt. This flow is illustrated in the following diagrams: Deposit Flow

You can learn more about PoolTogether V4 and how the Yield Source Prize Pool works at the following links:

To learn more about Aave V3, you can read the documentation here:

Aave V3 Documentation

Only the following contract is part of the audit scope:

Contract Name	Source Lines of Code	Libraries	External Calls
AaveV3YieldSource	~200 sLoC	OpenZeppelin, Manageable	Aave V3 Pool, Aave V3 RewardsController

Areas of Concern

The main areas of concern are the following:

is the unlimited approval of the Aave V3 Pool contract safe? Focus on the following line and the functions decreaseERC20Allowance and increaseERC20Allowance.
are the shares being calculated correctly? Focus on the _tokenToShares and _sharesToToken functions. Keep in mind that aTokens’ value is pegged to the value of the corresponding supplied asset at a 1:1 ratio.
is the minting and burning of shares being done correctly? Focus on the supplyTokenTo and redeemToken functions.
is there any reentrancy attack possible? Focus on the functions to withdraw and deposit.
are functions being restricted correctly in term of ownership and managership?

Gas Optimization

When suggesting gas optimizations, please run the yarn test command and write down the improvement in gas usage in your report. Don't forget to set the REPORT_GAS environment variable to true in order to generate the gas report.

Contact

If you have any questions, don't hesitate to reach out to us on the C4 Discord channel setup for this contest.