search

code-423n4 / 2022-04-pooltogether-findings

0 stars 0 forks source link

Pool has free access to all funds without using the redeem method #87

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/pooltogether/aave-v3-yield-source/blob/e63d1b0e396a5bce89f093630c282ca1c6627e44/contracts/AaveV3YieldSource.sol#L183

Vulnerability details

Impact

Pool has access to all funds even if they weren't deposited by the pool

Proof of Concept

The AAVE yield source contract allows anyone to deposit and withdraw funds that are deposited or withdrawn from AAVE. In the constructor of the contract, max approval is given to the pool of all atokens. This means the pool has access to all funds without using the withdrawal method which breaks the shares mechanism since funds are being withdrawn without burning corresponding shares from the pool.

The pool can use this approval to drain all tokens and steal the principal of other depositors.

Recommended Mitigation Steps

Remove the approval from the constructor

PierrickGT commented 2 years ago

Lack of understanding of how Aave pools work. The Aave pool can't withdraw tokens from the yield source and even if it could drain USDC from the contract, the yield source should only contain aUSDC. So for these reasons, I have disputed the issue.

gititGoro commented 2 years ago

Smart contracts aren't actually smart. Marking as invalid.