Closed code423n4 closed 3 years ago
By depositing tokens directly into the yield source, you're effectively distributing those tokens over all shareholders. There is nothing to be gained by depositing.
Vulnerability relies on a non-existent withdraw mechanism. Attempting this exploit would benefit, not harm, all users. Closing.
Handle
tensors
Vulnerability details
Impact
Increasing/decreasing the balance of tokens in the pool by manually depositing them changes the values of the shares.
Proof of Concept
https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L147-L149
https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L164-L166
Suppose that before I swap my shares (S in total ) for tokens (T in total) I deposit X tokens to the pool without getting shares for them.
By the shares to tokens formula, if S(A+X)/T -X > 0 I can take a profit from artificially increasing the price.
If I have some mechanism to withdraw the tokens X, that I deposited then it is always profitable to manipulate the price of the shares. I couldn't find such a mechanism in the code, but maybe someone else did.
Recommended Mitigation Steps
Record the price gained through interest alone, or don't allow deposits from unknown sources.