QA Report

[code423n4]

• Delegation.sol:52 Risk of locking assets by compromised delegator / represantative since the setLockUntillFunction can be called infinitely.

• TWABDelegator.sol

TWABDelegator.sol:299 – Required to check the limit of ticket amount to be sent. require(_amount <= (ticket.balanceOf(address(delegation)))

TWABDelegator.sol:360 - Required to check the availability of the amount. TWABDelegator.sol:386 - Required to check the availability of the amount.

• Pre-sent tickets to the addresses prior to Create2 function may lead to drain the delegator funds. Recommend to structure a contribution mapping.

[PierrickGT]

Risk of locking assets by compromised delegator / represantative since the setLockUntillFunction can be called infinitely.

The setLockUntil function can only be called through the TwabDelegator contract by interacting with the updateDelegatee function. https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L274

In this function, we ensure that the delegation isn't locked before allowing the delegator or his representative to update the lock duration. https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L269

So the delegator or representative would simply lock indefinitely their own funds. This contract is not responsible of users wallet security.

TWABDelegator.sol:299 – Required to check the limit of ticket amount to be sent.

It will revert at the safeTransferFrom step if user doesn't have enough tickets in his wallet: https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L304

TWABDelegator.sol:360 - Required to check the availability of the amount. TWABDelegator.sol:386 - Required to check the availability of the amount.

The _transfer function calls _transferCall who then calls the transfer function on the ticket contract. This function is used to transfer an _amount of tokens from a _delegation to a passed address _to. https://github.com/pooltogether/v4-twab-delegator/blob/21bb53b2ea54a248bbd1d3170dbadd3a0c83d874/contracts/TWABDelegator.sol#L537

The tickets we interact with live in the _delegation passed as parameter. If the user pass an _amount greater than the amount of tickets living in the delegation, the transfer call will revert.

For the reasons above, I've disputed the issue.