QA Report

[code423n4]

Based on the illustration below, it is assumed that only the yieldSourcePrizePool(not in scope) should be able to deposit and vice-a-versa but anyone can call supplyTokenTo () and redeem().

https://user-images.githubusercontent.com/85371239/165866541-a7ff64a6-7da7-47ac-bd1f-9d64da638d9d.png

Also, if a user calls supplyTokenTo (), the pTaUSDCY will be minted to the prize Pool but the ticket token would not be attributable to the user and therefore the pTaUSDCY could never be burnt and no rewards calculated for the user.

From my conversation with the dev(Pierreck) , he's stated that ‘Why would we restrict these functions only to Prize Pools?’

This doesn't capture what is mentioned in the documentation provided.

Recommend Mitigation

set the address of the YieldSourcePrizePool in the constructor and check :

require (msg.sender ==YieldSourcePrizePool, “not prize Pool”)

[PierrickGT]

Duplicate of https://github.com/code-423n4/2022-04-pooltogether-findings/issues/3

[gititGoro]

Confirming duplicate label and therefore marking issue as invalid.